The PCI Security Standards Council released the latest version of its Payment Card Industry Data Security Standards (PCI DSS v3.2) in April 2016. Version 3.1 expired on October 31, 2016, and businesses have until February 1, 2018 to implement the new requirements.

You can read the full guide titled PCI DSS 3.2 Resource Guide available to download on pcisecuritystandards.org.

The Key Differences Between PCI DSS v3.1 and v3.2

Use Multi-factor authentication instead of two-factor authentication

The Council clarified that any personnel with administrative access into a cardholder data environment must provide at least two or more credentials to obtain access. This applies to any administrator, third party or business employee. Version 3.1 only called for two-factor authentication.

What You Can Do

Businesses should review how they are currently managing authentication. Credentials can be something you know (such as a password), something you have (such as a token or smart card) or something you are (such as a biometric, like fingerprint or voice recognition).


ONLY if instructed, some businesses will need to follow additional criteria

The Council added an appendix of additional testing criteria that is ONLY applicable if a business is instructed by an acquirer or payment brand. If instructed, the business will need to undergo an assessment according to the new document PCI DSS Supplemental Designated Entities Validation (DESV). Organizations that are most likely to fall into this category include those storing, processing or transmitting large volumes of cardholder data, providing aggregation points for cardholder data, or businesses that have suffered significant or repeated data breaches in the past.

What You Can Do

Follow the general standards and goals (see below). If a business is interested in going above and beyond the requirements, follow the additional criteria outlined in this document.


New requirements for service providers

There are many new requirements for service providers, which are business entities that are directly involved in the processing, storage or transmission of cardholder data on behalf of another business. For example, this could be a managed service provider that offers managed firewalls, IDS and other services or a hosting provider.

The new requirements include mandatory penetration testing every six months, instead of once a year, to confirm that security controls are working properly. Quarterly reviews of internal security policies and operational procedures are also recommended, and there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program.

What You Can Do

Make sure that the third parties you work with are PCI compliant as well.

Article by Clearent by Xplor

First published: March 17 2023

Last updated: March 28 2024