Is Your Payment Application Ready to Leap to PA-DSS Version 3.2?
By Robert Spivak - 08 Jun 2016.
With the release of PA-DSS 3.2, on June 8th, the PCI Council has provided sunset dates for PA-DSS 3.1 applications and application listing. Key item to note is that ROVs and changes for payment applications validated according to PA-DSS v3.1 may be submitted through 31 August 2016. As of 1 September 2016, all new ROVs must be validated according to PA-DSS v3.2.
The table below gives a breakdown of the dates you should be aware of for your payment applications.
Lifecycle Dates for PA-DSS | PA-DSS 3.1 | PA-DSS 3.2 |
---|---|---|
Effective Date: Submissions will be accepted from this date. | 1 June 2015 | 1 June 2016 |
Standard Expiry Date: Submissions for new application listings and high impact changes will not be accepted after this date. | 31 August 2016 | TBD |
Application Listing Expiry Date: All applications will be moved to "Pre-Existing Deployments" list. | 28 October 2019 | 28 October 2022 |
Changes accepted until: Low impact and no impact changes for listed applications. | 28 October 2019 | 28 October 2022 |
What if I am currently in the process of validation?
This is a common question we get asked as does the PCI Council. In their publication the council addresses this with the following statement:
”While PCI SSC is unable to grant any extensions past 31 August 2016, assessors/vendors will have until 30 November 2016 to resolve and resubmit ROVs or change submissions for which PCI SSC requests additional clarification or action, as long as the completed ROV and all supporting documentation was submitted to PCI SSC and the corresponding invoice was paid in full prior to 12:00AM EDT 1 September 2016.”
Thus if you are in the middle of an assessment, you should make a priority to complete it prior to August 31, 2016. If you believe that you will not be complete prior to the end of August, or are thinking of starting a PA-DSS validation, you will need to align to PA-DSS 3.2.
If you are unsure about what to do next, give Control Gap a call and we will help you navigate the compliance waters.