Document Comparison
PA-DSS_v3-1_Summary_of_Changes.pdf
→
PA-DSS_v3-2_Summary_of_Changes.pdf
39% similar
3 → 4
Pages
700 → 637
Words
7
Content Changes
Content Changes
7 content changes. 3 administrative changes (dates, page numbers) hidden.
Added
p. 3
Clarification Requirements General General Removed examples of “strong” or “secure” protocols from a number of requirements, as these may change at any time.
• Moved examples from a number of requirements and/or testing procedures to the Guidance column, and
• added guidance where appropriate.
• Updated requirement to clarify that any displays of PAN greater than the first six/last four digits of the PAN require a legitimate business need.
• Added guidance on common masking scenarios.
Evolving Requirement 2.3.a 2.3.a
• Updated testing procedure for the PA-DSS Implementation Guide to include instruction that if debugging logs are ever enabled (for example, for troubleshooting purposes), and include PAN, the logs must be protected in accordance with PCI DSS, disabled as soon as troubleshooting is complete, and securely
• deleted when no longer needed.
Evolving Requirement 3.1.a 3.1.a Updated testing procedure for the PA-DSS Implementation Guide to include identification of all roles and default accounts within the application with administrative …
• Moved examples from a number of requirements and/or testing procedures to the Guidance column, and
• added guidance where appropriate.
• Updated requirement to clarify that any displays of PAN greater than the first six/last four digits of the PAN require a legitimate business need.
• Added guidance on common masking scenarios.
Evolving Requirement 2.3.a 2.3.a
• Updated testing procedure for the PA-DSS Implementation Guide to include instruction that if debugging logs are ever enabled (for example, for troubleshooting purposes), and include PAN, the logs must be protected in accordance with PCI DSS, disabled as soon as troubleshooting is complete, and securely
• deleted when no longer needed.
Evolving Requirement 3.1.a 3.1.a Updated testing procedure for the PA-DSS Implementation Guide to include identification of all roles and default accounts within the application with administrative …
Added
p. 3
Clarification 7.2.3 Added requirement for the PA-DSS Implementation Guide to include instructions about secure installation of patches and updates.
Evolving Requirement 8.3 8.3 Clarified correct term is multi-factor authentication rather than two-factor authentication, as two or more factors may be used.
Requirement 12 Requirement 12 Changed requirement title to “Secure all non- console administrative access” to better reflect content of this requirement.
Clarification 12.2 12.1.1 Renumbered as sub-requirement of 12.1. Clarification 12.2 New Requirement addresses multi-factor authentication for all personnel with non-console administrative access to the application. Aligns with PCI DSS Requirement 8.3.1.
Evolving Requirement 8.3 8.3 Clarified correct term is multi-factor authentication rather than two-factor authentication, as two or more factors may be used.
Requirement 12 Requirement 12 Changed requirement title to “Secure all non- console administrative access” to better reflect content of this requirement.
Clarification 12.2 12.1.1 Renumbered as sub-requirement of 12.1. Clarification 12.2 New Requirement addresses multi-factor authentication for all personnel with non-console administrative access to the application. Aligns with PCI DSS Requirement 8.3.1.
Removed
p. 2
Clarification All All Changed references from “merchant” to “customer” when referring to entities that use payment applications.
PCI DSS Applicability Information
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”. Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
• Clarified in requirement “Note” that additional controls are required if hashed and truncated versions of the same PAN are generated by the payment application.
• Added Testing Procedure 2.3.c for validation of the Note, and renumbered subsequent testing procedures.
Clarification 2.4 2.4 Updated guidance to clarify key-encrypting keys are not required to be encrypted. However, they must be protected in accordance with Requirement 2.4.
Additional Guidance 2.5 2.5 Changed “encryption” to “cryptographic” in testing procedure to align with the requirement.
PCI DSS Applicability Information
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”. Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
• Clarified in requirement “Note” that additional controls are required if hashed and truncated versions of the same PAN are generated by the payment application.
• Added Testing Procedure 2.3.c for validation of the Note, and renumbered subsequent testing procedures.
Clarification 2.4 2.4 Updated guidance to clarify key-encrypting keys are not required to be encrypted. However, they must be protected in accordance with Requirement 2.4.
Additional Guidance 2.5 2.5 Changed “encryption” to “cryptographic” in testing procedure to align with the requirement.
Modified
p. 2 → 3
Table 2: Summary of Changes Change Type1 PA-DSS v3.0 PA-DSS v3.1 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Table 2: Summary of Changes Change Type1 PA-DSS v3.1 PA-DSS v3.2 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Removed
p. 3
• Clarified that passwords must be
• changed at least once every 90 days.
Clarification 5.1.d 5.1.d Updated testing procedure to align with the requirement.
Clarification 5.3.3.a 5.4.1.c 5.3.3.a 5.4.1.c Updated language in testing procedures for consistency.
Clarification 5.4.3.a 5.4.3.a Combined bullets in testing procedures to remove redundancy Clarification 5.4.5.b 5.4.5.b Updated testing procedure to align with requirement. Clarification 6.3 6.3 Removed redundant language in testing procedure. Clarification
• Removed SSL as an example of a secure technology.
• Added a note that SSL and early TLS are not considered strong cryptography and payment applications must not use, or support the use of, SSL or early TLS. Also impacts Requirements 11.1 and 12.1
• 12.2.
Evolving Requirement 8.3 8.3 Updated for consistency with PCI DSS. Clarification 10.2.2 10.2.2 Clarified that a unique authentication credential must be used for each customer.
• Removed SSL as an example of a secure technology and
• Removed SSL as an example of a secure …
• changed at least once every 90 days.
Clarification 5.1.d 5.1.d Updated testing procedure to align with the requirement.
Clarification 5.3.3.a 5.4.1.c 5.3.3.a 5.4.1.c Updated language in testing procedures for consistency.
Clarification 5.4.3.a 5.4.3.a Combined bullets in testing procedures to remove redundancy Clarification 5.4.5.b 5.4.5.b Updated testing procedure to align with requirement. Clarification 6.3 6.3 Removed redundant language in testing procedure. Clarification
• Removed SSL as an example of a secure technology.
• Added a note that SSL and early TLS are not considered strong cryptography and payment applications must not use, or support the use of, SSL or early TLS. Also impacts Requirements 11.1 and 12.1
• 12.2.
Evolving Requirement 8.3 8.3 Updated for consistency with PCI DSS. Clarification 10.2.2 10.2.2 Clarified that a unique authentication credential must be used for each customer.
• Removed SSL as an example of a secure technology and
• Removed SSL as an example of a secure …
Modified
p. 3
Clarification 3.1.7 3.1.7
Clarification General General
Modified
p. 3 → 4
Evolving Requirement Appendix A: Summary of Contents for the PA-DSS Implementation Guide Appendix A: Summary of Contents for the PA-DSS Implementation Guide Updated to reflect changes made to requirements, as applicable.
Evolving Requirement Appendix A: Summary of Contents for the PA- DSS Implementation Guide Appendix A: Summary of Contents for the PA- DSS Implementation Guide Updated to reflect changes made to requirements, as applicable.