New Requirements in PCI DSS 3.2

When I wrote the article published in July 2014, PCI DSS 3.0 was just released not too long ago. It had profound impact on the security operations for SaaS platforms, including solutions in both public and private clouds. On top of that, the EMV chip cards are in the phase of being deployed in the US, after a couple of high-profiles credit card breaches happened and sensitive consumer data have been compromised in 2013.

The security industry is in a frenzy, trying to catching up with the latest security requirements, understanding the impact to operations anywhere where commerce transactions are happening.

So what's new in PCI DSS 3.2? Here is the summary (1):

Within the 12 core requirements of the PCI DSS, there are five new sub-requirements for service providers affecting requirements 3, 10, 11 and 12. New sub-requirements have been added to requirement 8 to ensure multi-factor authentication is used for all non-console administrative access and all remote access in the cardholder data environment.

There are also two new appendices.

1. Appendix A2 incorporates new migration deadlines for removal of Secure Sockets Layer (SSL) /early Transport Layer Security (TLS) in line with the December 2015 bulletin.
2. Appendix A3 incorporates the “Designated Entities Supplemental Validation” (DESV), which was previously a separate document. All the changes are outlined in the Summary of Changes from PCI DSS 3.1 to PCI DSS 3.2.

Details can be found here from the PCI Security Standards Council. You can read the full document there. Happy reading.