In December of last year, the PCI Security Standards Council announced an extension of the deadline for the Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration. Businesses now have until June 2018 to transition to more secure protocols, giving them a bit more breathing room. In the same December bulletin, the PCI Council also announced the future release of PCI DSS version 3.2, slated for release in 2016. Now that the new year is well underway, the Council has released an update on what to expect and when. Here are the highlights.
The Release of PCI DSS 3.2 is Coming Soon
PCI Security Standards Council Chief Technology Officer Troy Leach says the new version is coming in the first half of 2016, most likely in March or April. The Council now considers PCI DSS a “mature standard,” and expects to make smaller modifications moving forward rather than significant updates like they’ve done in the past. Version 3.2 will include the updated migration dates for SSL/early TLS.
Version 3.1 will be retired three months after the release of 3.2. As with all updates, there will be a sunrise period to be announced at a later date. For those that are operating or assessing payment applications, PA-DSS 3.2 will also be released a month after the 3.2 update.
Expected Changes for PCI DSS 3.2
In a letter to QSA’s, Leach provided some hints on what the likely changes to PCI DSS might be. They could include the following updates:
- Suggest or require additional multi-factor authentication for administrators within the Cardholder Data Environment (CDE)
- Incorporate some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
- Clarify the masking criteria for primary account numbers (PAN) when displayed
- Extend the time period for transition away from SSL and early versions of TLS until June of 2018
How to Prepare
Organizations should already have started the SSL/early TLS migration process, regardless of the extended deadline. This is also a good time to assess payments systems to ensure maximum security for customers. It is important to make sure third-party vendors are aware of the upcoming changes as well.
LBMC Information Security reviews compliance efforts can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.
Get a Quote for PCI Services
Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.
Download LBMC’s PCI Compliance Guide
Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.