The PCI/DSS 3.2 release are designed to improve point-of-sale and e-commerce standards.  This new version will require moving away from older and less secure TCP/IP networking protocols by June 2016.  Full compliance with 3.2 standards are set for June 2018.

https://isc.sans.edu/forums/diary/New+release+of+PCI+DSS+version+32+is+available/21003/

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf

A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers.  For service providers struggling to move customers away from SSL and weak TLS there is some good news.  The deadline for this requirement has been moved to June 30 2018.  Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn’t be to onerous as most service providers will already have this in place.

There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort.  A number of these are also quarterly requirements.  They include:

* 3.5.1 – Maintain a documented description of the cryptographic architecture.
* 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
* 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
* 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.