On October 31, 2016, PCI DSS v3.1 will be retired and the requirements of PCI DSS v3.2, released in April, will take effect as the new payment data security “best practices” applicable to the merchants, financial institutions, and vendors accepting major credit cards, including American Express, MasterCard, and Visa. The amendments are designed to improve payment card security and prevent payment data breaches.
To help ease the transition, the PCI Security Standards Council will allow the industry participants a grace period until January 31, 2018 to implement these amendments. Beginning on February 1, 2018, the amendments will graduate from “best practices” into full-fledged requirements. The changes encompass clarification of the existing security requirements, additional guidance on several topics, and evolving requirements for addressing emerging data security threats.
PCI Data Security Standard consists of twelve requirements aimed at the following six goals:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measure
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The majority of the amendments are in the nature of “additional guidance” or “clarification” and are helpful in addressing some of the uncertainties for how to implement certain existing requirements into practice. The industry participants should pay particular attention to the “evolving requirements,” which signal substantive changes. The highlights of the “evolving requirements” include: