Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released in April 2016, with a compliance date of October 31, 2016.

Although version 3.1 will not expire until then, companies have been encouraged to adopt the new standard as soon as possible to prevent, detect and respond to cyber attacks that can lead to payment data breaches.

Key changes in PCI DSS 3.2 include:

  • Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
  • Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
  • Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.

A full copy of the new PCI Data Security Standard version 3.2, including a Summary of Changes document, is available at:

PCI Perspectives blog post PCI DSS 3.2: What’s New? provides more information on changes to the standard and its supporting documents. The blog also outlines additional resources available for understanding and adopting PCI DSS version 3.2.