Recently the PCI Security Standards Council announced an upcoming update to the PCI DSS which will increment the version from 3.1 to 3.2. We knew an update was coming to account for the changes to SSL and early TLS per changes from version 3 to 3.1 and additional guidance provided on mitigating the risk of using these protocols in recent months. Additional changes are also being introduced as due to the maturity of the PCI DSS, the update cycle is changing. Rather than have a significant update at the end of this year, we can anticipate a more dynamic standard with rolling updates to reflect the evolving threat landscape. The next version is scheduled to be released in the first half of this year and the Council is aiming for a March/April timeframe.
To quote the blog the SSC is evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.
It is considered the introduction of multi-factor authentication for administrators may pose some challenges in environments where there are administrative and application users on systems such as mainframes, where web-based administrative interfaces are available or where segmentation has existed between in-scope and out-of-scope networks but the out-of-scope network has not been considered ‘remote’. These will be interesting topics to discuss further in the coming months.
Once we have additional information we will inform you. Subcribe to the blog in the right column for updates.
Useful links:
Preparing for PCI DSS v3.2 : http://blog.pcisecuritystandards.org/preparing-for-pci-dss-32
Designated Entities Supplemental Validation (DESV) criteria for service providers : https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_DESV.pdf
Date Change for Migrating from SSL and Early TLS : http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls