Filter by Category

15 Days to PCI DSS 3.2: Preparing Your Organization for Compliance

pci dss 3.2 readiness checklist

There are two weeks left until February 1, 2018, the date PCI DSS 3.2 becomes enforceable.

In these final weeks, you may be wondering if you’ve checked all the boxes for 3.2 compliance. If you haven’t, is there enough time to prepare? What’s the risk of leaving it up to chance? Preparing to comply may seem labor-intensive, but if your organization fails a PCI DSS audit, you could face hefty fines.

RELATED WHITE PAPER: What’s New in PCI Data Security Standard 3.2

We understand these concerns, and we’re here to help. If you’re looking down the barrel of February’s deadline, get started with this PCI DSS 3. readiness checklist to identify where you’re on track and what still needs to be done.

14-Day Readiness Checklist for Compliance Changes



Review the contents of PCI DSS 3.2

It’s never a bad idea to refresh your PCI knowledge. You can find all the requirements and details here.

Identify which changes in version 3.2 apply to you

Some of the changes in PCI DSS 3.2 affect everyone, while others only affect service providers. Use this article to determine which requirements apply to you.

Update your card data flow diagram

PCI DSS requirement 1.1.3 obligates organizations to diagram and maintain their card data flows. We recommend updating your flows to ensure all cardholder data is properly accounted for.

Enforce multi-factor authentication (MFA) for all non-console admin access

PCI DSS requirement 8.3 has made MFA mandatory for non-console admin access to cardholder environments. Now is a good time to update any processes that may hinder this transition to MFA.

Record any employees who have access to unmasked Primary Account Numbers 

Only the first six/last four digits of a PAN are allowed to be displayed. The rest must be masked. Those who can see more than these digits must be documented and given a legitimate business need for their access.

Create a policy for setting up security controls in your Cardholder Environments (CDEs)

New in PCI DSS 3.2, any changes made to a CDE must be immediately followed with proper security controls. PCI DSS requirements impacted by CDE changes must then be re-verified to ensure continued compliance with all standards.

Encrypt your data in transit and at rest

PCI data should always be encrypted when in transit and at rest. Use a secure file transfer solution to ensure your data is always protected—no matter where it’s stored.

Ensure cardholder data is sent using secure communication methods

If cardholder data must be sent from one device to another, make sure it’s transferred through protected shared folders, secure mail, or encrypted collaboration, not regular email or text.

Apply firewalls to all portable devices that access the Internet and your CDE

PCI DSS requirement 1.4 requires employee devices that access the Internet and your environment to have frequently-monitored firewalls. You might check to ensure your data is kept out of the DMZ as well. A file transfer solution can help with this.

Review your users’ permissions and restrict access where needed

Requirement 7.1.2 looks for organizations to create an employee-wide, “least-privilege” policy. This ensures that only users with an actual business need can access sensitive cardholder information.

Perform quarterly reviews with your security personnel

If you’re a service provider, the newest version of PCI DSS requires you to perform quarterly reviews with your personnel. This ensures that security practices are being followed and risks are being mitigated.

Educate your team on any updates to your processes

Once you have everything in place for PCI DSS compliance, start a conversation with your team to ensure they understand how PCI DSS 3.2 affects their daily routine. Talking points might include the move to MFA and any further masking of your PANs.

Plan your migration from SSL and early TLS migration to TLS 1.1 or TLS 1.2

SSL and early TLS migration isn’t enforceable until July 1, 2018, but that doesn’t mean you can’t start the process now. Learn more about this requirement on the PCI Security Standards Council website.

RELATED READING: 7 Essential Resources on PCI DSS Security

While this checklist is a great place to start, make sure you review the official PCI DSS document library for the full summary of the changes in 3.2.

Are Your Data Transfers PCI Compliant?

GoAnywhere MFT can help you test over 60 security settings in your GoAnywhere environment with the PCI DSS Security Settings Audit Report. This report outputs a PDF that shows you how each area of the solution performed against PCI DSS 3.2.

There are five possible outcomes for each setting tested.

  • Pass: The setting meets the PCI DSS requirement.
  • Fail: The setting does not meet the PCI DSS requirement.
  • Warning: You should look into this issue further to determine if you are compliant.
  • Not Applicable: A check on this setting is not required.
  • Fatal: A configuration problem is preventing GoAnywhere from accessing the appropriate data.

In addition to determining status outcomes, the report will give you recommended actions on how to remedy failed/warning areas and list which section of PCI DSS each security check applies to.

See the report in action.

We’d love to walk you through our PCI reporting. To learn how GoAnywhere can help you meet PCI DSS 3.2 requirements for file transfer encryption, role-based security, and auditing, simply request a demo and mention the PCI DSS Security Settings Audit Report in the comment box.

Request a Demo


Add a Comment

Allowed tags: <b><i><br>

Latest Posts

Why You Should Never Use FTP to Transfer Cloud Files

March 7, 2019

The cloud has become an increasingly popular topic among organizations in recent years. From sharing projects via cloud collaboration tools to exchanging files between a company and its trading…

Public Defender’s Office Reduces Manual Data Entry with Secure File Transfer Software

March 4, 2019

Every organization has legacy processes. Manual data entry, file cabinets full of paper records, sensitive documents sent across the organization by email, or even file transfers sent via homegrown…

Five Secure File Transfer Alternatives to FTP

February 21, 2019

The Need for Secure File Transfer Protocols Back in the day, File Transfer Protocol (FTP) was the go-to protocol for sending files. It was a simpler time, and security was far less of an issue than…

Which is Better: Free SFTP Software vs. Enterprise-Level SFTP Software?

February 14, 2019

Free SFTP Software vs. Enterprise-Level SFTP Software In general, people like free things. Beverages, company lunches, swag at tradeshows and conferences, t-shirts and socks, those intriguing items…

What is Secure File Transfer?

February 5, 2019

Moving sensitive, often-proprietary files from one person—or organization—to another has become a complex aspect of the business world today. This complexity comes not only from the size…