Published on: Jul 10, 2018
| Updated: Mar 31, 2025
PCI DSS Version 3.2.1: 3.2 Got a Makeover
PCI DSS version 3.2.1 has been released. Luckily for users, not much has changed. Actually, almost nothing has changed. This update is simply to replace 3.2 in regards to effective dates that a change-over needs to be made entirely. The SSL migration deadlines have already passed, so everyone should be using 3.2 at this time. 3.2.1 was made to get rid of any confusion in regards to the effective dates for PCI DSS 3.2.
PCI SSC Chief Technology Officer Tory Leach said, "It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data."
Small Changes
There were minor changes made. These were mostly in regard to the existing requirements, and how they will be affected once the deadlines have passed. Basically, they are allowing organizations the opportunity to figure out if their implementations are going to meet the requirements of the final deadline on June 30th. During this transition period, there are several key steps you should focus on to ensure compliance with PCI DSS v3.2.1:
Update your reporting templates and forms: This is crucial to align with the new standards and avoid any last-minute hiccups.
Complete your migration from SSL/early TLS prior to June 30, 2018: Ensure your security protocols are up-to-date well before the deadline to maintain data integrity.
Finish validations for 2018 using the standard that best addresses your organization’s reporting needs: Choose the standard that aligns with your specific circumstances for a smoother transition.
Enforce v3.2.1 by January 1, 2019: This step solidifies your compliance efforts and prepares your organization for the new requirements.
By taking these actions, you'll be better equipped to navigate the compliance landscape and meet the necessary deadlines effectively.
Nothing new, really.
Just as the previous version of PCI DSS, version 3.2.1 must be followed by an organization that is storing, processing, or transmitting data of a cardholder. Everyone from the largest financial institutions in the world to little shops downtown must oblige to these rules. The version 3.2.1's rules are already required to be followed, as everything in it was made mandatory on February 1st, 2018. The only parts not yet required is the exception of the previous requirements in regards to TSL security protocols from SSL. These changes are to be finalized by organizations by June 30th, 2018.
To ensure compliance with PCI DSS v3.2.1, organizations should take the following steps during the transition period:
Update Reporting Templates and Forms: Revise your documentation to reflect the new standards. This keeps your records aligned with the latest requirements and simplifies audits.
Complete Migration from SSL/Early TLS: By transitioning to more secure protocols by June 30, 2018, you ensure data integrity and security. This step is crucial to protect sensitive cardholder information.
Finish Validations for 2018: Utilize the standard that best addresses your organization’s reporting needs. This ensures your compliance efforts are tailored and effective.
Enforce v3.2.1 by January 1, 2019: Set this deadline as your ultimate goal for full compliance. Ensure all systems and processes meet the new requirements to avoid any lapses in security.
By integrating these specific actions into your compliance strategy, you can confidently meet the PCI DSS v3.2.1 requirements and safeguard your organization against potential vulnerabilities.
In general, the changes in version 3.2.1 focus on addressing the speed malicious parties are able to exploit weaknesses in the payment card process as a whole. Threats to cardholders are growing at a quick pace as technology of hackers continues to improve. The newest version of PCI DSS was created to combat this.
Version 3.2.1 of the PCI included new subsections, as well as changes to already existing subsections. Below will go over these briefly.
PCI Requirement 6.4.6 - A new subsection requirement, this rule makes it mandatory for all merchants to prove proper security is being utilized when there is a change in the cardholder data environment. This has been implemented to improve safety, and to ensure merchants are taking an active role in preventing hacks.
PCI Requirement 8.3.1 - This change was originally in PCI version 3.2. Basically, this requirement states that multi-factor authentication, or MFA, is required for ALL non-console access. This is a change from the earlier, less strict rule of only needing MFA for remote console access in cardholder data. In version 3.2.1, 8.3 has expanded into 8.3, 8.3.1, and 8.3.2
PCI Requirement 12.11 - This new requirement simply states that service providers must perform quarterly reviews. These reviews must be used to ensure personnel is following all of the operational procedures and the security policies. This is another requirement put in place to keep cardholder's safety the top priority.
PCI Requirement 10.8 - This new requirement states that providers MUST report all failures of their security control systems. These failures can include firewall, file integrity management, logical and physical access controls, antivirus, and anything else that could jeopardize the cardholder's safety and security. A branch off of 10.8, 10.8.1 states that these failures MUST be reported in a timely manner, it and requires that steps are taken to fix the failures.
Discover Essential Resources on PCI DSS Compliance
Navigating PCI DSS compliance can be complex, but there are numerous resources available to guide you through it. Here’s a comprehensive list of where to find valuable information:
Educational Series
Comprehensive Guides: Many cybersecurity firms offer in-depth series that break down PCI DSS in layman's terms, step by step.
Online Webinars: Look for recorded or live webinars hosted by industry experts. These sessions often explore specific PCI requirements and offer insights on compliance best practices.
Key Articles and Whitepapers
In-depth Articles: Websites like CSO Online and c regularly publish articles that discuss updates and best practices in PCI compliance.
Whitepapers: Downloadable documents from trusted cybersecurity organizations provide detailed analyses and include actionable advice on maintaining compliance.
Updates and Deadlines
Industry News Sites: Platforms such as SecurityWeek and Help Net Security frequently update readers about the latest changes in PCI DSS requirements and deadlines.
Forums and Online Communities
Community Discussions: Engage with professionals on forums like Reddit's cybersecurity subreddits or LinkedIn groups dedicated to PCI DSS. These platforms offer real-world advice and peer support.
By utilizing these resources, you can deepen your understanding of PCI DSS and ensure your systems remain compliant, protecting both your business and your customers.
PCI DSS 3.2.1 Summary
In general, almost all 3.2.1 should be being followed already. Most of 3.2.1 is just rewording of already mandated rules, just worded differently and made clearer.
PCI DSS v3.2.1 introduces several clarifications designed to enhance understanding and compliance. Here's a breakdown of how these changes make the document more user-friendly:
Streamlining Requirements: The update removes outdated notes and testing procedures related to SSL/early TLS migration efforts in requirements 2.2.3, 2.3, and 4.1, as these deadlines have already expired.
Transition from Best Practices: Requirements such as 3.5.1, 6.4.6, and others are no longer accompanied by notes about their effective dates, as they have been mandatory since February 1, 2018.
Error Corrections: An error in guidance under Requirement 3.6.2 is corrected, changing a reference from 3.5.1 to 3.5.2, ensuring accuracy.
Focused Allowances: Appendix A2 now emphasizes allowances for POS POIs not susceptible to known exploits, refining the focus on SSL/early TLS usage.
MFA and Compensating Controls: Appendix B clarifies requirements by removing MFA from compensating control examples, reflecting its necessity for all non-console administrative access. The inclusion of one-time passwords as an alternative control demonstrates flexibility.
These enhancements in PCI DSS v3.2.1 ensure that the requirements are not only clearer but also relevant to current security practices.
