What’s New in PCI DSS 3.2.1?

With the release of PCI DSS 3.2.1 you might be curious about what has changed between version 3.2 and version 3.2.1.  Keeping up with each version of the PCI DSS is an important part of overall PCI compliance, so we’ll summarize what is new here.

Overall, the changes in PCI DSS 3.2.1 are not major.  They are mostly clarification type changes, with some grammatical, formatting and punctuation changes mixed in.

One change that stands out is that wording was removed referencing how to report SSL and early TLS migration efforts.  Why is this the case?  Well the migration deadline for transitioning from SSL and early TLS (such as TLS 1.0) passed in 2018.  Compliant merchants should have SSL and early TLS disabled by now and no longer need to document migration.  It should simply be completed.

Another important change is that MFA, or multi-factor authentication, has been removed as a compensating control example in Appendix B.  Why was this done?  It was changed because multi-factor authentication is now a requirement for all non-console administrative access.  This would not be added as a compensating control but is required for certain environments.

Overall, PCI DSS 3.2.1 was not significantly changed from version 3.2.  As long as you are aware of the two main differences summarized above, having SSL and early TLS disabled and using MFA for non-console administrative access, you should be in good shape transitioning from version 3.2 to 3.2.1.