Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

What You Need to Know About PCI DSS 3.2 (and Why Security Comes First)

As promised, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.2 of its payment card requirements on Thursday.

This release is arguably more significant for the way it is being introduced and the underlying message than for the changes themselves, which are few and have been recommended security best practices for some time.

With fewer changes in this release and a longer-than-usual runway for the changes to take effect, PCI Security Standards Council Chief Technology Officer Troy Leach said he believes the updated version gives organizations a chance to plan for and implement security processes that help mitigate against cyberattacks.

Approaching the PCI standard from a security perspective is a mantra that Trustwave has delivered on for 20 years. In fact, if you have been practicing a security-first, "business as usual" approach with your PCI compliance, you may have already considered implementing some of these changes.

On the other hand, maintaining a secure posture in the face of today's cyberthreats is never easy. The potentially devastating and unexpected nature of new threats is one of the reasons the PCI SSC cites for moving away from its previous three-year cycle for releasing updated versions. The council has even removed from the standard specific references to technologies being "strong" and "secured." As we learned with SSL vulnerabilities like Heartbleed, today's strong and secured technology is tomorrow's weak link.

Let's take a look at the highlights of PCI DSS 3.2 and their impact on you:

Key Dates

  • PCI DSS 3.2 is now available for PCI assessments, although you can continue to submit a PCI DSS 3.1 assessment until Oct. 31 of this year.
  • All new requirements within PCI DSS 3.2 have a longer grace period, taking effect Feb. 1, 2018.
  • Timelines for migration from SSL and TLS 1.0  remain as last communicated:

    • All service providers must provide a secure offering by June 2016
    • All entities must cease use of SSL and TLS 1.0 as a security control by June 30, 2018
    • Some point-of-sale (POS) or point-of-interaction (POI) terminals may be subject to exemption as described in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS


What's New in 3.2 for the Enterprise?

Here are key new requirements in PCI DSS 3.2:

  • Requirement 3.3 updates specifications around displaying primary account numbers (PANs) to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function.
  • Requirement 6.4.6, which goes into effect on Feb. 1, 2018, is designed to ensure that security controls are in place following changes to the cardholder data environment.
  • One of the more significant changes is focused on multifactor authentication in Requirement 8.3. It updates the language from "two-factor authentication" and expands the requirement from personnel with remote access to all personnel with non-console administrator access to card data and systems.

8.3.1, which goes into effect Feb. 1, 2018, requires an individual to present a minimum of two separate forms of authentication (such as a password, a smart card or a fingerprint) before access to the cardholder data environment is granted. This extra layer of authentication means that a password alone is not enough and provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, which increases the difficulty of compromise and thus reduces the risk.

Authentication weaknesses leave systems highly vulnerable. The need for multifactor authentication and the risks of not employing it are so concerning that your organization should be moving as quickly as possible to implement it, regardless of the compliance requirement. In fact, the 2016 Trustwave Global Security Report (GSR)  found that authentication ranked second on the list of the most common critical vulnerabilities uncovered by penetration testing in 2015.


What else do you need to know?


One of the reasons the PCI council gave for releasing version 3.2 now instead of waiting until fall is to be clear about the extended deadlines for replacing SSL and TLS 1.0 protocols. Despite the 2018 deadline, you should move to replace these protocols as quickly as possible. Of the top 10 critical vulnerabilities identified through penetration testing by Trustwave in 2015, SSL protocol vulnerabilities ranked first.


New requirements for third-party service providers are focused on additional security best practices and their documentation, as well as penetration testing on segmentation controls at least every six months and quarterly reviews to confirm personnel are following security policies and operational procedures. Of the 12 core requirements of the PCI DSS, there are five new sub-requirements for service providers within requirements 3, 10, 11 and 12. These requirements (3.5.1, 10.8, 10.8.1,, 12.4.1) are considered "best practices" until they go into effect on Feb. 1, 2018.


PCI DSS 3.2 clarifies that some continuous "business-as-usual" controls may be requirements for certain entities, such as those defined in the Designated Entities Supplemental Validation (DESV) in Appendix A3. As the PCI DSS notes in relation to the new appendixes, including the DESV, "All organizations should consider implementing these best practices into their environment, even where the organization is not required to validate to them."


How to Get Help

Trustwave can help you complete your PCI DSS assessment or begin your preparation for PCI DSS 3.2. In either case, the changes announced in version 3.2 are security best practices that you should begin implementing regardless of the standard.

Dixie Fisher is product marketing manager of compliance solutions at Trustwave.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More