PCI DSS 3.2 Requirements and What’s New
PCI DSS 3.2 includes some changes about which you should know. Many thanks to our auditor, KirkpatrickPrice, for explaining the details to folks via a new webinar.
In this special session, Shannon Lane – a QSA, CISSP, and auditor with KirkpatrickPrice – discusses what’s new in PCI DSS 3.2 and the changes from PCI DSS 3.1 to 3.2 that may have a significant impact on your organization. Listen to the full webinar to learn details about the changes and how it could impact your organization. In the Q & A portion, don’t miss out on Shannon Lane’s auditing expertise.
PCI DSS 3.2 requirements covered include:
1.1.6 – Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
1.3.5 – Removed reference to stateful inspection and restated as “allow only established connections”.
1.4 – Install a personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee owned) that connect to the Internet when outside the network, and which are also used to access the CDE.
2.1 – Hardening of systems now include payment applications.
3.4.1 – Added note: this requirement applies in addition to all other PCI DSS encryption and key management requirements.
6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
6.5 – Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.
8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
8.3.2 – Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least 3 months, unless otherwise restricted by law.
11.2.1 – Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high-risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.
12.6 – Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
12.8.1 – Maintain a list of service providers including a description of the service provided.
12.10.2 – Review and test the plan at least annually, including all elements listed in Requirement 12.10.1.
Also covered in this webinar are requirement changes specifically for services providers. The following requirements are considered best practice until January 31, 2018, after which they will become requirements:
3.5.1 – Maintain a documented description of the cryptographic architecture.
10.8 – Implement a process for timely detection and reporting of failures of critical security control systems.
10.8.1 – Respond to failures of any critical security controls in a timely manner.
220.127.116.11 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
If we can help you learn more, contact us today.