All new requirements will be considered best practices until February 1, 2018 in order to allow organizations to prepare to implement the changes detailed in PCI DSS 3.2.
While merchants and banks now have a longer timeframe in which to improve encryption, PCI DSS 3.2 does include an appendix template for businesses to prove that there is a strategy in place for this migration and the work is being done.
PCI DSS 3.2 also includes new requirements for service providers to perform quarterly reviews of the personnel to make sure those employees responsible for protecting cardholder data are following the security procedures in place.
PCI DSS 3.2 brings a significant change in terms of multifactor authentication (MFA). The standard has required MFA for all remote access since version 1.0, but the new change is to require MFA for admin-level access to CDE even within a local secure network.
Lastly, PCI DSS 3.2 requires new documentation surrounding the cryptographic architecture of a business. The PCI DSS version 3.1 will expire on October 31, 2016.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now