May 2018 will welcome the arrival of a new version of the PCI DSS. The minor update will contain NO NEW REQUIREMENTS and will be given the version number 3.2.1.
The requirements that came into effect in February 2018 will have the following text removed:
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Typos, punctuation and formatting will also be fixed.
Just as a refresher, the January 31 2018 requirements included:
- 3.5.1 Service Providers must maintain a cryptographic architecture documentation
- 6.4.6 Significant changes.
- 8.3.1 Multifactor authentication into the CDE for personnel with administrative access
- 10.8 and related 10.8.1 Service Providers must implement processes for the timely detection and reporting of failures of critical security control systems
- 18.104.22.168 Service providers who use segmentation have to pen test their segmentation controls every 6 months.
- 12.4.1 Service provider’s executive management must establish responsibility for protection of CHD and the PCI DSS compliance program.
- 12.11 and related 12.11.1 Service providers must confirm personnel are following policy and procedure quarterly.
PCI DSS v3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019.
Ad below this line: