Document Comparison
PCI_DSS_v3-1_Summary_of_Changes.pdf
→
PCI_DSS_v3-2_Summary_of_Changes.pdf
23% similar
5 → 7
Pages
1204 → 1899
Words
13
Content Changes
Content Changes
13 content changes. 6 administrative changes (dates, page numbers) hidden.
Added
p. 3
Clarification Relationship between PCI DSS and PA-DSS Relationship between PCI DSS and PA-DSS Added guidance that security threats are constantly evolving, and payment applications that are not supported by the vendor may not offer the same level of security as supported version.
Additional Scope of PCI DSS Requirements Scope of PCI DSS Requirements Clarified that backup/recovery sites need to be considered when confirming PCI DSS scope.
Clarification Best Practices for Implementing PCI DSS into Business- as-Usual Processes Best Practices for Implementing PCI DSS into Business- as-Usual Processes Updated Note to clarify that some business-as- usual principles may be requirements for certain entities, such as those defined in the Designated Entities Supplemental Validation (Appendix A3).
PCI DSS Versions New section to describe how this version of PCI DSS impacts the previously-effective version.
Additional Requirements General General Removed examples of “strong” or “secure” protocols from a number of requirements, as these may change at any time.
Clarification …
Additional Scope of PCI DSS Requirements Scope of PCI DSS Requirements Clarified that backup/recovery sites need to be considered when confirming PCI DSS scope.
Clarification Best Practices for Implementing PCI DSS into Business- as-Usual Processes Best Practices for Implementing PCI DSS into Business- as-Usual Processes Updated Note to clarify that some business-as- usual principles may be requirements for certain entities, such as those defined in the Designated Entities Supplemental Validation (Appendix A3).
PCI DSS Versions New section to describe how this version of PCI DSS impacts the previously-effective version.
Additional Requirements General General Removed examples of “strong” or “secure” protocols from a number of requirements, as these may change at any time.
Clarification …
Added
p. 5
• 3.5.4 Renumbered due to addition of new Requirement 3.5.1.
Clarification 3.6.1.b 3.6.1.b Updated testing procedure language to clarify testing involves observation of procedures rather than key-generation method itself, as this should not be observable. Added guidance referring to Glossary definition for “Cryptographic Key Generation” Clarification 4.1 4.1 Removed note and testing procedures regarding removal of SSL/early TLS and moved to new Appendix A2.
Clarification 6.2 6.2 Added clarification to Guidance column that requirement to patch all software includes payment applications.
Clarification 6.4.4 6.4.4 Updated requirement to align with testing procedure.
Clarification 6.4.5 6.4.5 Clarified that change control processes are not limited to patches and software modifications.
Clarification 6.4.6 New requirement for change control processes to include verification of PCI DSS requirements impacted by a change. Effective February 1, 2018 Evolving Requirement 6.5 6.5 Clarified that training for developers must be up to date and occur at least annually.
• 6.5.c Removed Testing Procedure 6.5.b and …
Clarification 3.6.1.b 3.6.1.b Updated testing procedure language to clarify testing involves observation of procedures rather than key-generation method itself, as this should not be observable. Added guidance referring to Glossary definition for “Cryptographic Key Generation” Clarification 4.1 4.1 Removed note and testing procedures regarding removal of SSL/early TLS and moved to new Appendix A2.
Clarification 6.2 6.2 Added clarification to Guidance column that requirement to patch all software includes payment applications.
Clarification 6.4.4 6.4.4 Updated requirement to align with testing procedure.
Clarification 6.4.5 6.4.5 Clarified that change control processes are not limited to patches and software modifications.
Clarification 6.4.6 New requirement for change control processes to include verification of PCI DSS requirements impacted by a change. Effective February 1, 2018 Evolving Requirement 6.5 6.5 Clarified that training for developers must be up to date and occur at least annually.
• 6.5.c Removed Testing Procedure 6.5.b and …
Added
p. 7
Clarification 12.3.3 12.3.3 Reformatted testing procedure for clarity. Clarification 12.4 New requirement for service providers’ executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program. Effective February 1, 2018 Evolving Requirement 12.4 12.4.1 Renumbered due to addition of new Requirement 12.4.
Clarification 12.6 12.6 Clarified intent of security awareness program is to ensure personnel are aware of the cardholder data security policy and procedures.
Clarification 12.8.2 12.8.2 Added guidance that service provider responsibility will depend on the particular service being provided and the agreement between the two parties.
Additional Guidance 12.10.2 12.10.2 Clarified that review of the incident response plan encompasses all elements listed in Requirement 12.10.1.
Clarification 12.11, 12.11.1 New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures. Effective February 1, 2018 Evolving Requirement Appendix A Appendix A1 Renumbered Appendix “Additional PCI DSS Requirements …
Clarification 12.6 12.6 Clarified intent of security awareness program is to ensure personnel are aware of the cardholder data security policy and procedures.
Clarification 12.8.2 12.8.2 Added guidance that service provider responsibility will depend on the particular service being provided and the agreement between the two parties.
Additional Guidance 12.10.2 12.10.2 Clarified that review of the incident response plan encompasses all elements listed in Requirement 12.10.1.
Clarification 12.11, 12.11.1 New requirement for service providers to perform reviews at least quarterly, to confirm personnel are following security policies and operational procedures. Effective February 1, 2018 Evolving Requirement Appendix A Appendix A1 Renumbered Appendix “Additional PCI DSS Requirements …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 3.0 to 3.1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 3.1 to 3.2
Removed
p. 3
Clarification Introduction Introduction Changed reference from “protecting cardholder data” to “protecting account data”.
Clarification Introduction Introduction Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
Clarification Introduction Introduction Changed reference from “personally identifiable information” to “personal information”.
PCI DSS Applicability Information
PCI DSS Applicability Information
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”.
PCI DSS Applicability Information Removed reference to “environments” to clarify applicability at the organization level rather than the system level.
Clarification Scope of PCI DSS Requirements Scope of PCI DSS Requirements Aligned with language used earlier in the same section regarding steps for confirming accuracy of the defined CDE.
Clarification Use of Third Party Service Providers / Outsourcing Use of Third Party Service Providers / Outsourcing Clarified that validation processes for service providers include undergoing their own annual assessments or undergoing multiple on- demand assessments.
PCI DSS Assessment Process
PCI DSS Assessment Process Reordered assessment steps to …
Clarification Introduction Introduction Clarified that PCI DSS applies to any entity that stores, processes or transmits account data.
Clarification Introduction Introduction Changed reference from “personally identifiable information” to “personal information”.
PCI DSS Applicability Information
PCI DSS Applicability Information
PCI DSS Applicability Information Changed reference from “financial institutions” to “acquirers, issuers”.
PCI DSS Applicability Information Removed reference to “environments” to clarify applicability at the organization level rather than the system level.
Clarification Scope of PCI DSS Requirements Scope of PCI DSS Requirements Aligned with language used earlier in the same section regarding steps for confirming accuracy of the defined CDE.
Clarification Use of Third Party Service Providers / Outsourcing Use of Third Party Service Providers / Outsourcing Clarified that validation processes for service providers include undergoing their own annual assessments or undergoing multiple on- demand assessments.
PCI DSS Assessment Process
PCI DSS Assessment Process Reordered assessment steps to …
Modified
p. 3
Table 2: Summary of Changes Change Type1 PCI DSS v3.0 PCI DSS v3.1 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Table 2: Summary of Changes Change Type1 PCI DSS v3.1 PCI DSS v3.2 All All Addressed minor typographical errors (grammar, punctuation, formatting, etc.) and incorporated minor updates for readability throughout the document.
Modified
p. 3
Clarification General General Updated language in requirements and/or testing procedures for consistency.
Clarification General General Moved examples from a number of requirements and/or testing procedures to the Guidance column, and added guidance where appropriate.
Removed
p. 4
• 3.2.3 Clarified in requirements that storage of sensitive authentication data is not permitted “after authorization”.
Clarification 3.4 3.4 Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment. Added Testing Procedure 3.4.e to assist with validation of the Note. Clarified intent of “truncation” in Guidance Column.
Clarification 3.5.2 3.5.2 Clarified that “HSM” may refer to a “Hardware” or “Host” Security Module. Aligned with language in PCI PTS.
Clarification 3.6 3.6 Clarified that Testing Procedure 3.6.a only applies if the entity being assessed is a service provider.
Clarification 4.1 4.1 Removed SSL as an example of a secure technology and added a note to the requirement. See explanation above at 2.2.3.
Evolving Requirement 4.2 4.2 Included SMS as an example of end-user messaging technology and added guidance.
Clarification Additional Guidance 6.6 6.6 Added clarification to testing procedure and Guidance column that if an …
Clarification 3.4 3.4 Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment. Added Testing Procedure 3.4.e to assist with validation of the Note. Clarified intent of “truncation” in Guidance Column.
Clarification 3.5.2 3.5.2 Clarified that “HSM” may refer to a “Hardware” or “Host” Security Module. Aligned with language in PCI PTS.
Clarification 3.6 3.6 Clarified that Testing Procedure 3.6.a only applies if the entity being assessed is a service provider.
Clarification 4.1 4.1 Removed SSL as an example of a secure technology and added a note to the requirement. See explanation above at 2.2.3.
Evolving Requirement 4.2 4.2 Included SMS as an example of end-user messaging technology and added guidance.
Clarification Additional Guidance 6.6 6.6 Added clarification to testing procedure and Guidance column that if an …
Modified
p. 4
Evolving Requirement 4.1.1 4.1.1 Updated testing procedure to recognize all versions of SSL as examples of weak encryption.
Evolving Requirement 3.4.d 3.4.d Updated testing procedure to clarify the examination of audit logs includes payment application logs.
Modified
p. 4
Clarification 8.5.1 8.5.1 Clarified this requirement only applies if the entity being assessed is a service provider.
Clarification 2.1 2.1 Clarified requirement applies to payment applications.
Removed
p. 5
Clarification 10.6 10.6 Removed redundant language in guidance column.
Clarification 10.6.1 10.6.1 Updated requirement to more clearly differentiate intent from Requirement 10.6.2.
Clarification 11.1.c 11.1.c Clarified that testing procedure applies where wireless scanning is utilized.
Clarification 11.2 11.2 Clarified in Guidance Column that a vulnerability scan could be a combination of automated and manual tools, techniques, or other methods.
Additional Guidance 11.3.2.a 11.3.2.a Removed redundant language from testing procedure.
Clarification 11.3.4 11.3.4 Clarified that the intent of the penetration testing is to verify that all out-of-scope systems are segmented (isolated) from systems “in the CDE”.
Clarification 11.5 11.5 Clarified that unauthorized modifications include changes, additions, and deletions of critical system files, etc.
Clarification 12.9 12.9 Clarified this requirement only applies if the entity being assessed is a service provider and added related guidance.
Clarification Additional Guidance Appendix C: Compensating Controls Worksheet
• Completed Example Appendix C: Compensating Controls Worksheet
• Completed Example Updated description of compensating control example to reflect …
Clarification 10.6.1 10.6.1 Updated requirement to more clearly differentiate intent from Requirement 10.6.2.
Clarification 11.1.c 11.1.c Clarified that testing procedure applies where wireless scanning is utilized.
Clarification 11.2 11.2 Clarified in Guidance Column that a vulnerability scan could be a combination of automated and manual tools, techniques, or other methods.
Additional Guidance 11.3.2.a 11.3.2.a Removed redundant language from testing procedure.
Clarification 11.3.4 11.3.4 Clarified that the intent of the penetration testing is to verify that all out-of-scope systems are segmented (isolated) from systems “in the CDE”.
Clarification 11.5 11.5 Clarified that unauthorized modifications include changes, additions, and deletions of critical system files, etc.
Clarification 12.9 12.9 Clarified this requirement only applies if the entity being assessed is a service provider and added related guidance.
Clarification Additional Guidance Appendix C: Compensating Controls Worksheet
• Completed Example Appendix C: Compensating Controls Worksheet
• Completed Example Updated description of compensating control example to reflect …
Modified
p. 5 → 6
Clarification 9.9.1.b 9.9.1.b Updated testing procedure to clarify both devices and device locations need to be observed.
Clarification 9.5.1.a
• 9.5.1.b 9.5.1 Combined testing procedures to clarify that assessor verifies the storage location is reviewed at least annually.
• 9.5.1.b 9.5.1 Combined testing procedures to clarify that assessor verifies the storage location is reviewed at least annually.
Modified
p. 5 → 7
Clarification 12.2 12.2 Clarified that the risk assessment process must result in a formal, “documented analysis of risk”.
Clarification 12.8.1 12.8.1 Clarified that the list of service providers includes a description of the service provided.