What’s New with PCI DSS 3.2?


The PCI Security Standards Council released the latest version of its Payment Card Industry Data Security Standards (PCI DSS v3.2) at the end of April. Version 3.1 will expire on October 31, 2016, but businesses have until February 1, 2018 to implement the new requirements.

You can read the full guide titled PCI DSS 3.2 Resource Guide available to download on pcisecuritystandards.org.


Use multi-factor authentication instead of two-factor authentication

The Council clarified that any personnel with administrative access into a cardholder data environment must provide at least two or more credentials to obtain access. This applies to any administrator, third party or business employee. Version 3.1 only called for two-factor authentication.


Businesses should review how they are currently managing authentication. Credentials can be something you know (such as a password), something you have (such as a token or smart card), or something you are (such as a biometric, like fingerprint or voice recognition).

ONLY if instructed, some businesses will need to follow additional criteria

The Council added an appendix of additional testing criteria that are ONLY applicable if a business is instructed by an acquirer or payment brand. If instructed, the business will need to undergo an assessment according to the new document PCI DSS Supplemental Designated Entities Validation (DESV). Organizations that are most likely to fall into this category include those storing, processing or transmitting large volumes of cardholder data, providing aggregation points for cardholder data or businesses that have suffered significant or repeated data breaches in the past.


Follow the general standards and goals (see below). If a business is interested in going above and beyond the requirements, follow the additional criteria outlined in this document.

New requirements for service providers

There are many new requirements for service providers, which are business entities that are directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. For example, this could be a managed service provider that offers managed firewalls, IDS and other services or a hosting provider.

The new requirements include mandatory penetration testing every six months, instead of once a year, to confirm that security controls are working properly. Quarterly reviews of internal security policies and operational procedures are also recommended, and there’s a new requirement for executive management to establish responsibility for protection of cardholder data and the PCI DSS compliance program.


Make sure that the third parties you work with are PCI compliant as well.


Hosted Payments

Reduce PCI hassles and match the look and feel of your site...

Read More »

Clearent Marketplace

Find business solutions that are seamlessly integrated with our payments platform...

Read More »

Custom-Built Virtual Terminal

A quick, easy, and secure way to accept payments in the office or on the go...

Read More »