On 17 May 2018, the Security Standards Council (PCI SSC) published a minor revision to the PCI DSS. Revision 3.2.1 will become binding as of 1 January 2019 – version 3.2. remains valid through 31 December 2018.
The minor revision does not introduce any new requirements but eliminates confusion around effective dates and migration deadlines for SSL/early TLS.
The minor changes in PCI DSS v3.2.1 reflect how existing requirements are affected once the effective dates and migration deadlines for SSL/TLS (30 June 2018) have passed. The individual changes include:
• Elimination of notes referring to an effective date of 1 February 2018 for applicable requirements
• Updates to applicable requirements and Appendix A2 to reflect that only POS POI (point of sale point of interaction) terminals and their service provider connection points may continue using SSL/early TLS as a security control after 30 June 2018
• Removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is now required for all non-console administrative access; addition of one-time passwords as an alternative potential control for this scenario
The changes do not affect the Payment Application Data Security Standard (PA-DSS).
About the PCI Expert Tips:
With our PCI Expert Tips, we would like to keep you informed about changes to the PCI Security Standards and provide you with initial explanations as to what the changes entail and how they may affect you. Please take our articles as a general reference only – they do not replace individual case-by-case evaluations.
Should you have any questions or need assistance, please contact us. Our specialists are happy to help.
+49 6102 8631-190