New 2018 PCI DSS 3.2 Compliance Requirements Effective February 2018

By Zachary Ostroff on March, 5 2018
Back to main Blog
Zachary Ostroff


Nine “Best Practices” Out, Nine New PCI DSS Mandates In

In December of 2004 Visa, MasterCard, American Express, Discover, and JCB Co. created the Payment Card Industry (PCI) Data Security Standard (DSS) to limit credit card fraud and establish a robust framework for cardholder data controls. The PCI Data Security Standard is amalgamation of the standards, requirements and guidance of each of these company’s established security programs. 

Application of PCI DSS Standards

PCI DSS standards apply to all organizations that are involved with the processing, storage, or transmission of cardholder data (CHD) as well as sensitive authentication data (SAD). The Standards are divided into six major control objectives, and each control objective has twelve unique requirements representing baselines for compliance.  

When Version 3.2 was released in April of 2016, many sub-requirements contained the following language, “This requirement is best practice until January 31st, 2018, after which is becomes a requirement.”  

Now that these best practice requirements are compulsory, it is essential to understand how they impact your organization and the steps you must take to meet full compliance. Non-compliance may lead to the loss of the ability to process credit cards and loss of an organization’s PCI DSS compliant status. 

PCI DSS Best Practices That Became Requirements in February 2018

A total of 9 “best practices” –All 9 are mandatory for service providers, including 2 for merchants – became requirements as of February 1, 2018.

PCI DSS Compliance

If your company is seeking to become PCI compliant, or will be conducting an annual PCI DSS examination, you’ll want to make sure that compliance with these new requirements are included in your compliance program or review.

These include:

  • Documenting cryptographic architecture
  • Updating documentation of significant changes
  • Incorporate multi-factor authentication for all non-console access
  • A process for the timely detection and reporting of failures of critical security control systems
  • Processes for responding to failures in security controls
  • Confirming PCI DSS scope by performing penetration testing on segmentation controls
  • Establishing responsibility
  • Perform quarterly reviews of personnel
  • Maintaining documentation of quarterly review process
  • Connect with the Freed Maxick PCI DSS Compliance Experts

Our team does a significant amount of PCI data compliance work across the country, and we would welcome an opportunity to share our insights and guidance with a complimentary review of your compliance situation. We also encourage you to read our through leadership on PCI DSS or download any of our compliance related thought leadership materials.

If you would like more information on our compliance services, contact with one of our Qualified Security Assessors at or connect with us here.

Stay up to date