PCI DSS 3.2.1: What Your Business Needs To Know

June 29, 2018

Herjavec Group Contributor: David Mundhenk, CISSP, PCI QSA, PCIP

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard, published and maintained by the PCI Security Standards Council (SSC). It is endorsed and enforced by all major credit card brands and their approved acquirers, and is intended to protect cardholder data wherever it is processed, stored, or transmitted.

PCI DSS version 3.2 was mandatory for all assessments with a report date after October 31, 2016 and had mandatory requirements effective February 1, 2018. A summary of those requirements can be reviewed in detail here.

Most recently, in May 2018, PCI DSS version 3.2.1 was released and became mandatory for all compliance assessments performed after June 30, 2018. ­This version addressed requirements that were previously communicated and considered ‘best practices’ for merchants and service providers but are now mandatory effective June 30, 2018.

There are 2 Mandatory Requirements Effective June 30, 2018, relating to Appendix A2 and Appendix B of the PCI DSSv3.2.1:

Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections - allows the use of existing implementations of early SSL and TLS given that additional security controls are in place to mitigate the potential vulnerabilities associated with their use.

Under this Appendix update, the PCI DSS requirements directly affected are:

  • Requirement 2.2.3 –Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
  • Requirement 2.3 –Encrypt all non-console administrative access using strong cryptography.
  • Requirement 4.1 –Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

Service providers still supporting early SSL/TLS must maintain a Risk and Migration Plan to detail the additional security controls in place. To continue the use of legacy SSL/TLS terminals, merchants must be able to maintain vigilance in monitoring for new vulnerabilities that may affect those POS/POI terminals. New POS/POI implementations must not use early SSL or early TLS as a security control.

Appendix B: Compensating Controls - removes multi-factor authentication (MFA) from the list of allowed compensating controls (i.e. legitimate workarounds to any requirement used by enterprises in the event that they cannot meet the requirement as it is explicitly stated).

While merchants and service providers were previously able to use compensating controls in lieu of implementing MFA for non-console administrative access, they are now required to use MFA for all non-console administrative access. The use of one-time passwords (a form of MFA) has also been added as a potential control for this scenario.


This summary offered a brief overview of the requirements presented in PCI DSS v3.2.1.  As a reminder, the goal of the evolving PCI DSS requirements is to ensure improved compliance through risk assessments across your organization. Please these changes carefully and seek support from a third-party assessor in order to ensure compliance.

To learn how Herjavec Group can help you conduct PCI DSS compliance assessments, please connect with a security specialist today.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn