New changes in “PCI DSS 3.2.1” release
The Payment Card Industry Data Security Standard (PCI DSS) is an established standard that declares a set of Policies and Procedures designed to improve the security of payment cards and ensure cardholders against violation of their data.
Certification of PCI from PCI DSS assures the protection of payment card information through a set of terms set by the PCI Security Standards Council (SSC). These contain some standard best practices such as installation of firewalls, encryption of data transmissions and use of anti-virus software.
PCI SSC released PCI DSS Version 3.2.1 with a minor change to the PCI Data Security standard that companies around the world use to protect payment card information during, before, and when a sale is made.
PCI DSS version 3.2.1 replaces version 3.2 to account for valid dates and SSL/early TLS migration deadlines that have passed. There are not any new requirements in PCI DSS 3.2.1, therefore PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 Jan 2019.
PCI SSC Chief Technology Officer Troy Leach says
“It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.”
Well known SSL/early TLS has several vulnerabilities e.g. Heartbleed, BEAST, POODLE and CRIME which makes it very risky for defending data. The modifications include:
- After 30 June 2018, all businesses must have stopped the use of SSL/early TLS as security control, and use just secure versions of the protocol.
- Point of sale terminals and the SSL/early TLS termination points to which they that can be confirmed as not being vulnerable to any well-known exploits for SSL/early TLS might continue using these as a security control after thirty June 2018
- Removal of multi-factor authentication (MFA) from the compensating control, as MFA is currently needed for all non-console administrative access; an addition of one-time passwords as another potential control for this scenario.