make a good business better

Blog Information Security

Print Divider Print Divider Branding

How to Meet the Newest PCI DSS Requirements in Your Next Assessment

06/28/2018  |  By: Brian Willis, Senior Manager, Information Security


Social Logo Social Logo Social Logo Social Logo

There are many things in life you can do on “autopilot:” brushing your teeth, taking out the trash—you get the idea. But, achieving PCI compliance is not one of those things. The security threat landscape is constantly changing, and the PCI Council is continually evolving its security standards in response to those changes. PCI DSS is no exception to that rule. The newest version of the framework, v.3.2.1, includes new requirements—each of which were introduced in v3.2 and were effective as of February 1, 2018.

Many organizations elected to not to address these new requirements until after their effective date. If this includes your organization, and you have a PCI assessment marked on the calendar, you may be wondering how to achieve compliance with these new requirements. If so, fear not! Here’s a summary of the new requirements, guidance on how to satisfy each requirement, and what your QSA will be looking for to demonstrate you’re compliant.

Requirement 6.4.6

Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.


Conduct a formal review of any systems, networks, or applications that have been changed to identify any compliance gaps introduced as a result of the change. This review should be conducted by an employee responsible for PCI compliance, who is often a PCI ISA. Regardless of which employee completes the review, make sure the review is formally recorded within change control documentation. And, if you want a higher level of assurance that systems affected by a change are still compliant, consider consulting a QSA for help with the review.

What Your QSA Will Look For

Your QSA will review a sample of change control records and interview personnel responsible for conducting the internal review, all to verify the change was completed, and that any PCI compliance issues were recorded and resolved appropriately. 

Requirement 8.3.1

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. 


This requirement applies to non-console administrative access only, i.e. administrative access to the CDE originating from a system outside the CDE. This requirement is in addition to, and does not replace, the requirement for multi-factor authentication for remote access to the CDE. See my previous blog on meeting PCI’s expectations for multi-factor authentication (MFA) to be sure you’re implementing a compliant solution.

What Your QSA Will Look For

Your QSA will want to observe how you utilize MFA for administrative access as well as a demonstration of the process to verify your systems are utilizing it properly.

Requirement 3.5.1 (Service Providers Only)

Maintain a documented description of the cryptographic architecture that includes: 

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date 
  • Description of the key usage for each key 
  • Inventory of any HSMs and other SCDs used for key management


This requirement is straightforward. Simply ensure you have a document in place that describes the full details of the encryption algorithms, protocols, and keys used for CHD storage. Beyond that, you’ll need to demonstrate to your QSA that all personnel responsible for managing the CHD encryption process understand how data is encrypted and are familiar with encryption, decryption, and key management processes.

What Your QSA Will Look For

Your QSA will review the documented description of encryption protocols in use and interview personnel responsible for the encryption process to verify they are familiar with the protocols and can execute encryption and key management processes as documented.

Note: This requirement is for service providers only.

Requirements 10.8 & 10.8.1 (Service Providers Only)

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: 

  • Firewalls 
  • IDS/IPS 
  • FIM 
  • Anti-virus 
  • Physical access controls 
  • Logical access controls
  • Audit logging mechanisms 
  • Segmentation controls (if used) 

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: 

  • Restoring security functions 
  • Identifying and documenting the duration (date and time start to end) of the security failure 
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause 
  • Identifying and addressing any security issues that arose during the failure 
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure 
  • Implementing controls to prevent cause of failure from reoccurring 
  • Resuming monitoring of security controls


This control addresses security systems, appliances, applications, access controls, and segmentation controls utilized to maintain and monitor CDE security. Ensure you have processes in place to facilitate timely detection, alerting, and reporting of any failures of these systems. Finally, make sure your response activities include a thorough analysis of failures as well as appropriate responses to those failures.

What Your QSA Will Look For

Your QSA will review policy and procedure documentation related to the detection and alerting mechanisms for each security control system, as well as interview personnel responsible for monitoring alerts and responding to incidents. Your QSA will also review evidence like notification messages and incident response records to verify successful detection, reporting, and response to any failures.

Note: These requirements are for service providers only.

Requirement (Service Providers Only)

If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.


The purpose of this requirement is to verify that your segmentation controls are functioning and being maintained properly. To achieve compliance, perform targeted penetration testing against segmentation controls (like firewalls, switches, and authentication domains) utilized to isolate the CDE from the rest of the network at least once every six months. Remember—as with other penetration testing requirements, all critical and high-risk vulnerabilities must be corrected and retested.

What Your QSA Will Look For

Your QSA will review semi-annual reports to verify testing was performed every six months by qualified individuals against all CDE segments in scope for your assessment. You should ensure these semi-annual penetration tests have been scheduled, as your QSA will expect you to be able to demonstrate that testing has been conducted as required after February 1, if not started before.

Note: This requirement is for service providers only.

Requirement 12.4.1 (Service Providers Only)

Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: 

  • Overall accountability for maintaining PCI DSS compliance 
  • Defining a charter for a PCI DSS compliance program and communication to executive management


Requirement 12.4.1 is fairly simple. Just make sure you have a formally documented PCI compliance charter in place as well as documentation demonstrating formal accountability for compliance is assigned and compliance concerns are regularly reported to executive management.

What your QSA Will Look For

Your QSA will review your company’s formally documented PCI compliance charter as well as records of communication with executive management. The QSA will also interview individuals responsible for compliance to verify they are aware of their responsibilities. 

Note: This requirement is for service providers only.

Requirements 12.11 & 12.11.1 (Service Providers Only)

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: 

  • Daily log reviews 
  • Firewall rule-set reviews 
  • Applying configuration standards to new systems 
  • Responding to security alerts 
  • Change management processes

12.11.1: Maintain documentation of quarterly review process to include: 

  • Documenting results of the reviews 
  • Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program 


To achieve compliance with these controls, make sure you conduct a formal, quarterly review of time-based security controls to ensure they are executed on-schedule and documented. Be aware that it is not sufficient to simply demonstrate the successful execution of these controls throughout the year. You must demonstrate that quarterly internal reviews are conducted and that any discovered deficiencies are corrected.

What Your QSA Will Look For

Your QSA will review policies, procedures, and records of review as well as interview appropriate personnel to determine how reviews are conducted. You should ensure quarterly security control reviews have been scheduled for 2018, since this requirement is time-sensitive. Your QSA will need to verify these activities have been conducted as required after February 1, if not started before.

Note: These requirements are for service providers only.

There’s no doubt about it—PCI DSS is a challenging framework. But, with the right tools and guidance, compliance is achievable. If you have more questions about general PCI compliance or the new requirements in particular, contact us today to learn how we can help.