Is Your Payment Application Ready to Leap to PA-DSS Version 3.2?

With the release of PA-DSS 3.2, on June 8th, the PCI Council has provided sunset dates for PA-DSS 3.1 applications and application listing. Key item to note is that ROVs and changes for payment applications validated according to PA-DSS v3.1 may be submitted through 31 August 2016.  As of 1 September 2016, all new ROVs must be validated according to PA-DSS v3.2.

The table below gives a breakdown of the dates you should be aware of for your payment applications.

What if I am currently in the process of validation?

This is a common question we get asked as does the PCI Council. In their publication the council addresses this with the following statement:

”While PCI SSC is unable to grant any extensions past 31 August 2016, assessors/vendors will have until 30 November 2016 to resolve and resubmit ROVs or change submissions for which PCI SSC requests additional clarification or action, as long as the completed ROV and all supporting documentation was submitted to PCI SSC and the corresponding invoice was paid in full prior to 12:00AM EDT 1 September 2016.”

Thus if you are in the middle of an assessment, you should make a priority to complete it prior to August 31, 2016. If you believe that you will not be complete prior to the end of August, or are thinking of starting a PA-DSS validation, you will need to align to PA-DSS 3.2.

If you are unsure about what to do next, give Control Gap a call and we will help you navigate the compliance waters.