Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).
Here is a list of some of the changes that will come into effect:-
3.5.1: Full documentation of all cryptographic architecture (service providers only)
6.4.6: Change management processes that include verification of any PCI DSS impact for changes to systems or networks
8.3.x: MFA for all non-console access to CDE. This requirement has been the subject of much discussion, and we expect many entities to require remediation.
10.8: Detection and reporting of all critical security control system failures (service providers only)
11.3.4.1: Penetration testing must now be performed every 6 months, as well as after any segmentation changes. (service providers only)
12.4.1: Executive management must establish PCI responsibilities and compliance program management (service providers only)
12.11.x: Quarterly personnel reviews P&P’s (service providers only)
