Summary of Changes PCI DSS V. 3.1 to V. 3.2 Not a Major New Version Areas of Emphasis

Summary of Changes PCI DSS V. 3.1 to V. 3.2 Not a Major New Version Areas of Emphasis

Summary of Changes PCI DSS V. 3.1 to V. 3.2 Not a Major New Version Areas of Emphasis

Campbell, Christopher, Contributor has reference to this Academic Journal, PHwiki organized this Journal Version 3.2 voluntary through October 31, 2016 M in addition to atory thereafterSummary of Changes PCI DSS V. 3.1 to V. 3.2Not a Major New VersionThe st in addition to ard is matureMost changes are cosmetic or are clarifications of version 3.1Incorporates interim deadlines as final deadlines (SSL/TLS issue)Changed terminology use from “two-factor” authentication to “multi-factor” authenticationClarified that patching all software includes payment applicationsCreated new Appendix A2 to address SSL/Early TLS issueAdded new Appendix A3 to include Designated Entity Supplemental Validation requirementsAreas of EmphasisThere are several new areas of emphasis in Version 3.2Change managementAdministrative accessIncident responseEcommerce, particularly A-EP environments

Limestone College SC

This Particular University is Related to this Particular Journal

Version 3.2 SAQsNo new SAQ versions, but changes to existing onesMasking PANDisplaying the Primary Account Number (PAN)Current requirement is no more than first six in addition to last four digits of PAN can be displayed123456XXXXXX1234Any display of more digits of PAN require a legitimate business needRequirement 3.3Change ControlAdditional change control requirementChange control processes must include verification of PCI DSS requirements impacted by a (significant) changeAll relevant controls must be implemented on all new or changed systemsDocumentation must be updated as applicableRequirement 6.4.6Effective February 1, 2018

Remote Administrative Access to CDEFor any non-console administrative access to CDE:All non-console access into CDE as long as personnel with administrative access must use multi-factor authentication (8.3.1)Current requirement as long as multi-factor authentication as long as remote access to CDE as long as personnel with administrative access still applies (8.3.2)Requirement 8.3.1Best practice until January 31, 2018, then m in addition to atory thereafterHigh Risk VulnerabilitiesVulnerabilities must be integrated into the risk assessment processClarification that all “high risk” vulnerabilities must be addressed as long as internal scansIn accordance with the entity’s vulnerability ranking (as per Requirement 6.1)Remediation must be verified by rescansRequirement 11.2.1Appendix A1 – Shared Hosting ProvidersAdditional requirements as long as Service Providers (including Shared Hosting Providers)Must maintain documented description of cryptographic architectureRequirement 3.5.1; best practice until January 31, 2018, then m in addition to atory thereafterDetect in addition to report on failures of critical security control systemsRequirement 10.8, effective February 1, 2018Per as long as m penetration testing on segmentation controls at least every six monthsRequirement, effective February 1, 2018Service Provider Executive Management to establish responsibilities as long as protection of cardholder data in addition to PCI DSS compliance programRequirement 12.4, effective February 1, 2018Per as long as m reviews at least quarterly to confirm personnel are following security policies in addition to operational proceduresRequirement 12.11, effective February 1, 2018

Appendix A2– SSL/Early TLSIncorporate requirements around insecure SSL/Early TLSNew system implementations must not use SSL or early TLS (1.0)If TLS 1.1 is deprecated by the National Institutes as long as St in addition to ards in addition to Technology (NIST), then TLS 1.1 must no longer be used by the deprecation effective dateAll service providers must provide a secure service offering by June 30, 2016After June 30, 2018, all entities must have stopped use of SSL/Early TLSIf SSL/Early TLS is being used, must have BOTH:Mitigation plan to compensate as long as the risk of SSL/Early TLSMigration plan to get off of SSL/Early TLS no later than June 30, 2018Appendix A3 – DESV RequirementsDesignated Entities Supplemental Validation (DESV) requirements are now officially incorporated into the DSSAny entity touching cardholder data can be designated a “Designated Entity” by the payment br in addition to (s) or the AcquirerFor storing, processing, in addition to /or transmitting large volumes of cardholder dataProviding aggregation points as long as cardholder dataSuffering significant or repeated breaches of cardholder dataDoes NOT add any new requirements to the DSSEnhances the documentation / processes already requiredResourcesDocuments available from the PCI Security Council website at:https://www.pcisecurityst in addition to PCI DSS V3.2PCI DSS Summary of Changes, V3.1 to V3.2Prioritized Approach as long as PCI DSS V3.2Prioritized Approach Tool V3.2Glossary of Terms, Abbreviations, in addition to Acronyms V3.2

For More In as long as mationFor additional in as long as mation or if you have any questions, please contact Coalfire through:Joseph D. Tinucci, CTP, QSA, CISSPJoseph.Tinucci@Coalfire.comJon Bonham, CISA, QSAJon.Bonham@Coalfire.comDirk Anderson, CRISC, CISA, QSA,

Campbell, Christopher Hot Rod Contributor

Campbell, Christopher Contributor

Campbell, Christopher is from United States and they belong to Hot Rod and they are from  Burbank, United States got related to this Particular Journal. and Campbell, Christopher deal with the subjects like Automotive Industry; Automotive/Motorcycle Racing

Journal Ratings by Limestone College

This Particular Journal got reviewed and rated by Limestone College and short form of this particular Institution is SC and gave this Journal an Excellent Rating.