Blog
PCI Trends
PCI Council Releases PCI DSS 3.2.1: What You Need to Know

PCI Council Releases PCI DSS 3.2.1: What You Need to Know

The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of the PCI DSS 3.2.1.

Updated
July 30, 2018
Posted
May 22, 2018
PCI
PCI Council Releases PCI DSS 3.2.1: What You Need to Know

Learn what’s changed in the latest version of the PCI DSS 3.2.1.

The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of the PCI DSS 3.2.1.

The Council previously released PCI DSS 3.2 in April of 2016 to replace version 3.1, which brought with it some big changes, among which were new requirements for service providers and additional guidance about multi-factor authentication.

So what has changed between PCI DSS 3.2 and PCI DSS 3.2.1?

Changes to PCI DSS standard are clarifications

All of the changes in this latest version 3.2.1 are characterized by the PCI Council as clarification—as opposed to additional guidance or actual changes in requirements. The intent of clarification from the PCI Council is to ensure that “concise wording in the standard portrays the desired intent of requirements.”

Many of the changes involve simply removing requirements’ effective dates which have passed or correcting minor punctuation and format issues. However, there are a few items of clarification regarding SSL/early TLS and multi-factor authentication that are worth noting:

  • “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS” has been renamed “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI terminal connections.”
  • In Appendix A2, requirements A2.1 – A2.3 were updated to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.
  • In “Appendix B: Compensating Controls,” Multi-factor authentication was removed from the compensating control example, as MFA is now required for all non-console administrative access. The use of one-time passwords (tokens) as an alternative potential control for this scenario was added.

While these changes are not likely to affect your day-to-day data security routines or require much extra time or money, it’s important to use the latest version of the PCI DSS to avoid misunderstandings and potential gaps in security.

You can read a full and detailed summary of changes between PCI DSS version 3.2 and 3.2.1 here.

If you need help with PCI compliance or would like to know more about PCI audits, contact us here.

Join thousands of security professionals.
Subscribe Now
Get the Latest Trends
View Learning Center
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000