PCI v3.2.1 is here!

Version 3.2.1 of the PCI DSS was just released by the PCI Security Standards Council (PCI-SSC).

As a minor version, it primarily included clarification updates and one correction to a requirement reference. Most of the changes center around the removal of the January 31st date, which expired this year.

Appendix A2.1-A2.3 was updated to focus only on the allowance for Point of Sale (POS) Point of Interaction (POI) that are not susceptible to known exploits and their service provider termination points to continue to use SSL/early TLS. There are some updates to the verbiage in this section, but nothing that would change the meaning of the control.

The PCI-SSC also added clarification around that the use of outdated POS POI devices: it is solely the responsibility of the user (e.g., the merchant). This is a welcomed distinction for service providers, as they will have no responsibilities related to the use of these devices, even though they are supporting the channel for continued use by accepting weak protocols. It will be interesting to see how Approved Scanning Vendor (ASV) scans will handle these for service providers after June 2018.

Keep in mind that merchants are primarily responsible for ensuring that the outdated POS POI devices are not susceptible to any exploits. If they ever are, the merchant must fix the issue either by upgrading the devices or implementing a compensating control.

PCI-SSC has given until the end of 2018 for the continued use of the previous version (3.2). Any Report on Compliance (RoC) issued in 2019 will need to be based on the new version (3.2.1).

If you have any further questions about the changes and how they may affect your environment, feel free to drop us a line. We would be happy to help!

PCI-DSS 3.2.1 Summary of Changes:https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

Steve Maxwell

Author: Steve Maxwell

Steve has over 18 years of experience, ranging from software development, software quality, performance engineering, information security, and internal audit. Before TrustedSec, Steve performed a number of functions supporting security initiatives within the retail and healthcare industries. He has presented to and trained hundreds on automation, performance engineering, and attack mitigation techniques.