PCI DSS – Changes from v3.2 to v3.2.1

The PCI Council released a minor update to the Payment Card Industry Data Security Standard (PCI DSS) in May of this year. Their isn’t really anything earth shattering included in this update, but it’s always worth knowing exactly what changes are made, especially if being PCI compliant affects your business. The changes from v3.2 to v3.2.1 center around clarifications regarding the sunset of the migration window for SSL and “early TLS”. Some minor punctuation, grammar, and formatting issues are also included.

What You Need To Know

  • This version doesn’t contain the introduction of any new control requirements.
  • SSL and early TLS have now been completely deprecated, and may no longer be used by anyone claiming PCI compliance. The updated version of PCI DSS changes from v3.2 to v3.2.1 remove all references to mitigations or allowances for these protocols.
  • Merchants or service providers that deal with Point-of-Sale (POS) Point-of-Interation (POI) devices that still require SSL and early TLS may still use those solutions in some specific circumstances with certain controls in place.
  • The updated version removes all references to the effective date of February 2018 for a number of controls, as that date has already passed and all of these requirements are in full-force.

Why Do The Changes From v3.2 To v3.2.1 Matter?

Kind of a trick question. This update is incredibly minor, compared to others, and should have no net impact on your organization or compliance efforts. But, keeping updated on any and all changes to the standard is critical for a strong PCI compliance program. Anyone with ongoing validation efforts can continue using v3.2 of all associated validation templates (AOC, SAQ, ROC) until the end of this year, December 31, 2018. Keep an eye out for the next major update, as I don’t expect it to be as minimal!

As always, if you’ve got any questions feel free to leave a comments below or contact us.