Effective February 1st, 2018 a number of PCI DSS requirements become mandatory which previously were considered best practice only. This document highlights the changes per PCI DSS certification
2. Kyte Consultants Ltd. UPDATE to PCI DSS v3.2 2
UPDATE to PCI DSS v3.2
Effective February 1st
, 2018 a number of PCI DSS requirements become mandatory which previously
were considered best practice only. The following table highlights the changes per PCI DSS
certification:
Requirement Merchant
Service
Provider
3.5.1
Maintain a description of the cryptographic
architecture
✓
6.4.6
Upon significant change, all relevant PCI DSS
requirements must be implemented on all new or
changed systems and networks and documentation
updated
✓ ✓
8.3.1
Incorporate multi-factor authentication for all non-
console access into the CDE for personnel with
administrative access
✓ ✓
10.8
Implement a process for the timely detection and
reporting of failure of critical security systems
✓
10.8.1
Respond to failures of any critical security controls
in a timely manner
✓
11.3.4.1
Is segmentation is used, perform testing on
segmentation controls every 6 months and after any
changes to segmentation controls/methods
✓
11.4.1
Executive management shall establish responsibility
for the protection of cardholder data and a PCI DSS
compliance program
✓
12.11
Perform reviews, at least quarterly, to confirm
personnel are following security policies and
operational procedures
✓
12.11.1
Maintain documentation of quarterly review
process
✓
Most changes apply to service providers, however requirements 6.4.6 and 8.3.1 apply to all those who
want to maintain PCI DSS certification throughout.
Requirement 6.4.6 is important in order to re-validate PCI DSS scope and update documentation when
major changes are done to the cardholder environment or processes surrounding it. This is not limited
to updating network maps, data flows, but also reviewing all controls surrounding the CDE.
While multi factor access was already a requirement for remote access, now multi-factor access
becomes mandatory for all administrative access when not directly accessing the device/s. Non-
console access is defined as: “logical access to a system component that occurs over a network
interface rather than via a direct, physical connection to the system component including access from
within local/internal networks as well as access from external, or remote, networks.” This is particularly
relevant when the CDE is in a remote data center, virtualized or in the cloud.
3. Kyte Consultants Ltd. UPDATE to PCI DSS v3.2 3
Service providers have additional requirements to meet in order to service their clients.
Service providers are to maintain clear documentation for the cryptographic architecture the entity
employs. Short or quick overviews are no longer valid documentation for PCI DSS compliance.
Requirement 3.5.1 stipulates that documentation must include:
• all algorithms, protocols, and keys used for the protection of cardholder data,
including key strength and expiry date
• description of the key usage for each key; and
• an inventory of any HSMs and other SCDs used for key management
Requirements 10.8 and 10.8.1 provide clearer guidelines as to what control systems need to be
monitored and used reported upon should they fail. These are: firewalls, intrusion
detection/prevention systems, file integrity monitors, anti-virus systems, physical access controls,
logical access controls, audit logging mechanisms and segmentation controls (if any). Should anything
happen to these systems a process to (ideally) quickly restore functionality, identify and document the
cause (root cause analysis), address security issues that arose during the failure, update risk
assessment and implement control to prevent a repeat of the failure while continue monitoring as per
operating procedures.
In environments where segmentation controls are used to limit the scope of the cardholder data
environment, requirement 11.3.4.1 ensures that the segmentation controls need to be tested at least
twice yearly at six months intervals to ensure their continued effectiveness. Testing need to be
repeated should segmentation controls be changed.
Executive management needs to assume responsibility for the protection of the cardholder data and
to ensure there is a PCI DSS compliance program within the entity. Requirement 12.4.1 requires that
there is overall accountability for maintaining PCI DSS compliance via a PCI DSS charter which includes
also effective communication to executive management. This is especially important in order to ensure
compliance should there be key personnel turnover and during security incidents.
Requirement 12.11 and 12.11.1 ensure that on a quarterly basis daily log reviews, firewall rule-set
review, application of configuration standards to new systems, response to security alerts and change
management are being followed. Documentary evidence is to be retained that such reviews are being
done and retained as evidence for the forthcoming audit.