New Crypto Requirements in PCI DSS 3.2

Graham Steel
May 31, 2016

Update March 2018 You can read about how to test PCI-DSS crypto compliance using our Analyzer software.Original post:

PCI logo

The new version (3.2) of the PCI DSS compliance requirements for the payment card industry was released a few weeks ago. While the PCI definition of strong cryptography remains unchanged, the new version contains some other interesting new measures around secure use of cryptography

The deprecation of SSLv3 and TLSv1.0/1.1 are confirmed. However, to stay compliant, you still have two years to remove them before the deadline of June 2018. A new requirement has been introduced for service providers to map out their cryptography use:

3.5.1 Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes:
- Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
- Description of the key usage for each key
- Inventory of any HSMs and other SCDs used for key management

(a "service provider" is defined here as someone who is "directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.")

No doubt many service providers already maintain such documentation, but the reality is that sometimes externally sourced applications that encrypt cardholder data for storage or transmission may be using undocumented cryptographic methods that the service provider is not aware of. Here the PCI standard is making it clear that it's the service provider's responsibility to know want crypto they are using.

Crypto Cartography Software

Cryptosense software can detect the crypto used by applications using common cryptographic libraries like Java and OpenSSL, and test its security and compliance with PCI-DSS. Get in touch to find out more.