The PCI DSS 3.2 standard includes many improvements from previous versions, all of which aim to increase cardholder data protection. We have seen the standard evolve from version 1.1 in 2006 which outlined the basics of the twelve PCI requirements to the current version 3.2 where the twelve requirements have been detailed with extensive explanations, testing procedures, and guidance. Most notably, the current version lists nine requirements that are best practices until January 31, 2018, after which time they will become official requirements under the PCI DSS standard.
Service providers will be most impacted by these requirements. After January 31, 2018, service providers must:
1. Perform penetration testing on any segmentation controls at least every six months and after any significant changes
2. Maintain documentation to include details of algorithms, protocols, keys, and the hardware used for key management
3. Implement a process to timely detect and report failures of critical security control systems
4. Respond to critical security control failures in a timely manner
5. Establish executive management as the responsible party for the protection of cardholder data and a PCI DSS compliance program
6. Perform quarterly reviews to confirm that security policies and procedures are being followed
7. Maintain documentation of the quarterly review process
For all entities, the following best practices will become official requirements after January 31, 2018:
8. After a significant change to any system or network, all relevant PCI DSS requirements must be implemented and documentation updated
9. Incorporate multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access
While previous versions of the PCI DSS standard have aimed to secure cardholder data environments, the current version 3.2 provides the PCI Council’s most rigorous approach to data security. As the PCI standard continues to improve with best practices converting to full-fledged requirements in early 2018, we can be confident that data is further secured as compliance with the standard is achieved.