PCI Security Standards Council published PCI DSS Version 3.2.1 with minor revision to the PCI Data Security Standard (PCI DSS), which businesses around the world use to safeguard payment card data before, during and after a purchase is made.
PCI certification ensures the security of card data at your business through a set of requirements established by PCI. These include a number of commonly known best practices, such as:
- Installation of firewalls
- Removing default credentials
- Performing routine security assessments
- Encryption of data transmissions
- Use of anti-virus software
The changes are defined as:
MFA is now required for all non-console administrative access; an addition of one-time passwords as an alternative potential control for this scenario.
After 30 June 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol.
POS terminals may continue using these as a security control after 30 June 2018.
The updates in PCI DSS v3.2.1 do not affect the Payment Application Data Security Standard (PA-DSS), which will remain at v3.2.
“Online and e-commerce environments using SSL/ early TLS are most susceptible to these vulnerabilities and should be upgraded immediately.” - PCI DSS Statement