Recently, the Payment Card Industry (PCI) released an update to their Data Security Standard (DSS) that is used by anyone that accepts credit cards within their organization. This new release, version 3.2.1, is a minor update to version 3.2 which we've been using for the past two years. The minor changes are as follows, and should generally come as no surprise:
- Some requirements had a "Best practice" that wasn't required until February, 2018. Seeing as which February has come and gone, the "best practices" are now required.
- The appendix has been updated to reflect that SSL/early-TLS is now required
- "Multi-factor authentication" has been removed as an example Compensating Control. Since Multi-Factor is now required, it makes sense it can't be a compensating control.
What's this mean for you? In general, if you've been following PCI 3.2 (which you should be), and you implemented TLS 1.2 or 1.3, then nothing has changed. You can confirm this by going to https://www.ssllabs.com/ssltest/ and testing your site for SSL, TLS 1.0 or TLS 1.1. Even if you use a payment gateway such as PayPal to process the actual transaction, PCI still applies if you are passing information to the gateway and back.
If you need more information, or would like advice on how to handle PCI compliance in your environment, give us a call or send us an email. We'd be glad to help!