To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and keeping up with the changes even more so. In May 2018 the Payment Card Industry (PCI) Security Standards Council (formed to regulate security for the payment card industry) released an updated list of compliance requirements known as the PCI Data Security Standard (DSS) v3.2.1.
Let us guide you through these new requirements. We found hundreds of wording changes, most of them innocuous and helpful clarifications, however, a small number of these changes will require some attention in order to maintain compliance after December 2018.
This article focuses on changes to the DSS standard. There were also significant changes to the reporting template which we introduce here and will report on more fully in a follow-up article.
Continue reading for everything you need to know about PCI DSS v3.2.1.
What Are the Largest Impacts of PCI DSS v3.2.1?
The Changes Amount to Almost Nothing, Except E-Commerce Web Redirection Servers, Reporting Instructions
The changes in DSS 3.2.1 are mostly administrative clarifications, minor fixes, and clean-up of now-expired future-dated requirements. There were hundreds of wording changes, 4 numbering changes, and 3 testing procedures removed. On the surface, these amount to virtually no impact to customer compliance effort.
The largest impacts we identified in PCI DSS 3.2.1 are actually not due to changes in the DSS itself but the interpretation of the intent. The changes are most evident in the PCI Self-Assessment Questionnaire A (SAQ-A). Whether an entity is completing an SAQ or a Report on Compliance, e-commerce web redirection servers that utilize iframe or Full URL redirection are now subject to increased requirements, now adding requirement patch management (DSS 6.2) to these system components. This slight increase in compliance footprint size may seem small, and for many organizations doing the right thing it won't be a problem. However, since these changes are quietly buried in the SAQ documents and are not part of the announced DSS changes, we anticipate that this seemingly tiny change will catch many service providers and merchants by surprise and will result in compliance validation delays.
Another surprise, is there are significant changes in the reporting instructions that will affect organizations undergoing "level 1" onsite assessments.
What Is the Difference Between PCI DSS v3.2 and PCI DSS v3.2.1?
In addition to the hundreds of wording changes, 4 numbering changes, and 3 testing procedures removed, there were:
19 Total Discrete Change Clusters
- 19 of these changes have an impact rating of None. These changes have a negligible impact on compliance and help to improve clarity and understanding on intent.
- 0 of these changes have an impact rating of Low. These changes have a low impact on compliance and are a new incremental change that potentially alter compliance efforts.
- 0 of these changes have an impact rating of High. These changes have a high impact on compliance and are typically a new requirement or involve potentially significant effort to achieve or sustain compliance.
Zero Evolving (New or Changed) Requirements
- There are no new or changed “evolving” requirements, which is good news.
Change Analysis - the DSS Standard
There are several other significant differences between PCI DSS V3.2 and PCI DSS V3.2.1. We have prepared a quick overview of the changes in our Change Analysis Brief. We have also prepared a Before & After Redline View if you would like to see every word that changed.
Change Analysis - Report on Compliance Templates (coming soon)
Given the relatively minor nature of this update we were not expecting a lot a changes to the Reporting Templates. Reporting Templates are mandatory instructions for QSA's working with organizations considered "Level 1's" that must undergo onsite assessments and complete Reports on Compliance. We found there is an increased emphasis on the specifics required in the answers. While we don't believe the intent of the instructions have changed, some organizations may find that RoC's will require additional time and effort to satisfy these changes.