If you are reading this text, you are probably just as shocked as I am that the Council released an addendum to PCI DSS outside of the normal cycle. If you think back, the last time this happened was in July of 2009 when PCI DSS v1.2.1 became public. Version 1.2.1 only had some minor changes in it that were fairly cosmetic in nature. I bet that most of you, even those who have been dealing with PCI DSS for years, probably didn’t even know that there was an addendum to version 1.2.
Well, version 3.1 is no tiny update. It’s nothing strictly cosmetic. It’s not a tiny deal. And it’s here to replace version 3.0. This addendum to PCI Compliance, 4th Edition, is meant as a companion piece. I will be taking you through the major changes in PCI DSS 3.1, including some of the fun things you will now be tasked with as you begin your assessments this fall.
For most of you, version 3.0 is still new enough that you may not have even been through your first formal 3.0 assessment. Those of you who are just now beginning to look at 3.0 should just move straight to 3.1. PCI DSS 3.0 was officially retired on June 30, 2015. If there is something in version 3.1 that may jeopardize your compliance timelines, work with your acquiring bank to figure out a pathway forward on either 3.0 or 3.1. There’s really no sense in working hard to remediate gaps against a retired standard (just like you wouldn’t start a PCI DSS 2.0 assessment today). Also, shame on you for waiting so long!
Those who are in the middle of your 3.0 assessment or remediation, talk to your acquiring bank. If you have already started, they may allow you to finish your validation against version 3.0. Even if this is your situation, take a look at the changes in PCI DSS 3.1. If you rely heavily on SSLv3 in your environment, this could be extremely painful. If not, the rest of the changes may be minor enough (for you) to continue forward with PCI DSS 3.1.
PCI DSS 3.1. DOI: http://dx.doi.org/10.1016/B978-0-12-804627-2.00001-1 © 2016 Elsevier Inc. All rights reserved.
Now that we’ve discussed the themes, let’s review the contents. This booklet is organized into the following chapters.
Chapter 1, Introduction. You are reading it. Good job!
Chapter 2, The Death of SSL. What exactly does it mean for you as someone who relies on SSLv3?
Chapter 3, Third Parties. An extended review of the third-party adventure that started with 3.0 and continues with 3.1.
Chapter 4, Technical Testing. More details on what technical changes exist.
Chapter 5, Other Miscellaneous Changes. For those that did not fall into the above categories, quick blurbs on what changed.
Chapter 6, Final Thoughts.
Thanks for letting me take you on this journey. What I hope you get out of this is details around the changes, business-level information that will help you choose the best path, and specific things that are actionable for you today.