Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

New release of PCI DSS (version 3.2) is available

Published: 2016-04-29
Last Updated: 2016-04-29 14:03:29 UTC
by Mark Hofman (Version: 1)
1 comment(s)

A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers.  For service providers struggling to move customers away from SSL and weak TLS there is some good news.  The deadline for this requirement has been moved to June 30 2018.  Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn't be to onerous as most service providers will already have this in place.  

There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort. They are best practice until 1 February 2018, after which they must be in place.  A number of these are also quarterly requirements.  

They include: 

  • 3.5.1 – Maintain a documented description of the cryptographic architecture. 
  • 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
  • 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. 
  • 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.  

The other big change affecting everyone relates to multi factor authentication for administration of the Cardholder Data Environment (CDE). Currently this requirement is only needed when remote access is used to access the CDE.  This requirement has now been extended to include ALL administrative access of the CDE.  This means that you will need to roll out some form of multi factor authentication for all administrative access to the environment.  

Other changes in the standard are generally clarifications. The new release of the standard is effective immediately, version 3.1 will be retired October 31, 2016. Your next assessment will likely be against the new version of the standard. 

The council’s “Summary of changes document from PCI DSS version 3.1 to 3.2” (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf) outlines all of the changes and is well worth a read.  

Mark H - Shearwater

Keywords: Compliance PCI DSS
1 comment(s)
Sysinternals Updated today - Updates to Sysmon, Procdump and Sigcheck. https://blogs.technet.microsoft.com/sysinternals/2016/04/28/update-sysmon-v4-procdump-v8-sigcheck-v2-51/
ISC Stormcast For Friday, April 29th 2016 http://isc.sans.edu/podcastdetail.html?id=4975

If you have more information or corrections regarding our diary, please share.

Recent Diaries

DNS and DHCP Recon using Powershell
2 days ago by Rob VandenBrink (2 comments)

Kippos Cousin Cowrie
3 days ago by Tom (0 comments)

An Introduction to Mac memory forensics
3 days ago by Basil (0 comments)

Highlights from the 2016 HPE Annual Cyber Threat Report
5 days ago by Guy (0 comments)

Angler Exploit Kit, Bedep, and CryptXXX
1 week ago by Brad (3 comments)

View All Diaries →

Latest Discussions

Issue wit RSS Feed?
created 6 days ago by Matt M. (0 replies)

Privesc on Windows Server 2008 R2 Datacenter x64
created 1 week ago by Shaf (4 replies)

Government access to hosted data.
created 2 weeks ago by Anonymous (0 replies)

Cyber Hunt - Hawaii
created 2 weeks ago by MGiese (0 replies)

Top ten rising ports
created 3 weeks ago by Kim (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
2 months ago by Dr. J. (24 comments)

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
2 months ago by Dr. J. (9 comments)

March 2016 Microsoft Patch Tuesday
1 month ago by Alex Stanford (22 comments)

Getting Ready for Badlock
1 month ago by Dr. J. (5 comments)

What to watch with your FIM?
4 weeks ago by Xme (4 comments)