May 17, 2018, the PCI Security Standards Council (PCI SSC) released the revised version of PCI Data Security Standards Council (PCI DSS). “This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in 3.2, as well as the migration dates for SSL/early TLS,” said PCI SSC Chief Technology Officer Troy Leach. Version 3.2.1 replaces 3.2 to account for effective dates and SSL/TLS migration deadlines that have passed. While the 3.2.1 update did not affect the Payment Application Security Standard (PA-DSS), listed below are the effects of v3.2.1.
- Appendix A2.1-A2.3 was updated to clarify that only Point of Sales Point of Interaction (POS POI) terminals and their service provider connection points may continue to be secured by SSL/TLS controls after June 30, 2018.
- Multi-factor authentication (MFA) is now mandatory for all non-console administrative access. Addition of one-time passwords as an alternative potential control for this scenario is also acceptable.
- Removal of notes, within applicable requirements, referring to an effective date of February 1, 2018, as this date has passed.
- There are no new requirements with this update.
Remember that vendors are typically responsible for all outdated POS POI devices. If a device is vulnerable to potential exploitation, the vendor must upgrade the device or provide a compensating control. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019. Further information regarding the changes from 3.2 to 3.2.1 is available at https://www.pcisecuritystandards.org/document_library.
Be more than compliant!
Defensix helps organizations build and manage an effective information security program. Compliance alone may not be enough to effectively defend against sophisticated cyber attacks. Defensix is built by a team that understand how real-world attackers think and operate.
Learn how Defensix can help your organization become more secure.