PCI DSS 3.2: What Does This Mean For Your Business?

The PCI Council has officially announced that the next minor release of the PCI DSS standard will be released in the first half of 2016.

PCI DSS 3.2 primarily addresses the revised migration dates away from SSL/early TLS. As mentioned at the PCI London event which took place earlier this year, the new migration deadline will be set for 2018. While PCI DSS 4.0 is the new standard, many vendors will continue using 3.2 requirements as full 4.0 compliance isn’t required until 2025.

While new versions of the PCI DSS standard are typically released in November of each year, it was explained that there are two reasons for the earlier release date: first, the PCI DSS is recognized as a mature standard and does not require frequent significant updates, and secondly, giving an early release date gives companies more time to evaluate the business case for their security investments.

In addition, the PCI Council is evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE), incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers, and clarifying masking criteria for primary account numbers (PAN) when displayed.

Version 3.2 will be the new effective standard the moment it is published, and version 3.1 will be retired three months after to allow organizations to complete PCI DSS v3.1 assessments already underway.

That’s great, but what does this mean for my business?

The most notable change would be the new migration deadline away from SSL/ early TLS. This is because they are no longer considered examples of strong cryptography, or secure protocols.

However, as Jeremy King stressed at PCI London — this doesn’t mean that anyone should be taking the extended deadline as an invitation to put off migration. Never forget that compliance is just a means to being secure- if you can move past SSL and early TLS now, do it.

Putting version 3.2 aside, a large number of businesses are still struggling with one of the core requirements of version 3.0: making data security a Business As Usual (BAU) practice.

This means that security should not be something you only think about annually, monthly, or even weekly. Every company has to take steps to ensure that keeping their sensitive data safe is a daily endeavor.

This means that, on a daily basis, security controls (such as firewalls) are monitored and confirmed to be operating effectively as intended, and failures in security controls have to be detected and responded to post-haste.

One key security control that is directly related to the damage incurred during a data breach is the insecure storage of sensitive data. The more sensitive data builds up on your system, the more you stand to lose during a data breach.

Taking BAU by the horns with Enterprise Recon

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Book a demo of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.