Skip to the main content.
Contact
Contact

1 min read

What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.

What's changed in PA-DSS 3.2? Impacts to Vendors, Implementers, and Operators.

Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the high-level change summaries published by the PCI Security Standards Council provide only a starting point for in-depth investigation.  Our detailed analysis provides a useful next step that can help organizations to more fully understand the impact of changes to their environment.

PCI PA-DSS is a supporting standard that aligns with PCI DSS.  It has typically moved in lock step with the DSS.  So when the DSS changes, so does the PA-DSS. This article looks at the recent changes in detail.

While the PA-DSS may be primarily of interest to vendors of payment applications, it also affects any organization that implements or operates these applications. This article will be of use not only to payment application vendors, but also to those who implement and operate payment applications.

What Is the Difference Between PCI PA-DSS v3.1 and PCI PA-DSS v3.2?

In addition to over one thousand changed words, 2 new requirements, and 1 numbering change, there were:

28 Total Discrete Change Clusters

  • 16 of these changes have an impact rating of None. These changes have a negligible impact on compliance and help to improve clarity and understanding on intent.
  • 11 of these changes have an impact rating of Low. These changes have a low impact on compliance and are a new incremental change that potentially alter compliance efforts.
  • 1 change has an impact rating of High. This new requirement has a potential high impact on compliance and are can  potentially significant involve effort to achieve or sustain compliance.pa-dss-change-clusters-269x300

5 Evolving (New or Changed) Requirements

  • 4 of these changes have an impact rating of Low (#3, 4, 5, 9, 18 in our analysis)
  • 1 of change has an impact rating of High (#18 in our analysis)

pa-dss-evolving-298x300

There are several other significant differences between PCI DSS V3.1 and PCI DSS V3.2. To see a quick overview of the rest of the changes, read our Change Analysis Brief. If you would like to know every word that changed, read our Change Analysis Document.

3 Ways 8-Digit BIN Ranges May Impact PCI Compliance

3 min read

3 Ways 8-Digit BIN Ranges May Impact PCI Compliance

New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to maintain...

Read More
Why POI Tamper Inspections are so Important

1 min read

Why POI Tamper Inspections are so Important

It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device installed...

Read More
The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript

6 min read

The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript

In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and compliance. This...

Read More