The PCI Security Standards Council has issued version 3.2 of the PCI-Data Security Standard (PCI-DSS).  In a significant policy shift, the council also announced that future revisions to the standard will be issued more frequently than the 3-year major update cycle of the past.

Primary changes include a new multifactor authentication requirement for those with access to cardholder transaction data.  Previously, a single password could be used to access cardholder data.

Service providers will be subject to additional change management controls, increased penetration testing requirements and quarterly security policy checks.

The new standard will coexist with version 3.1 through October 2016.  PCI Assessments performed after that date must conform to the new standard.  However, some requirements (such as those related to SSL and TLS) will not take full effect until 2018.  A detailed summary of changes is available from the PCI Security Standards Council.


Sign up to receive a weekly email summary of my blog posts.