PCI DSS version 3.1 will be retired on October 31, 2016, with version 3.2 being the only valid version beginning the 1st of November. From that date, any new validation of PCI compliance will have to be against version 3.2. The new requirements will, however, be considered ‘best practices’ until Feb. 1, 2018 when they will be mandatory.

One of the most important requirements is completion of the migration from SSL and early TLS to the more secure later versions of TLS. Alexander Norell, EMEA director at Trustwave’s Global Compliance and Risk Services, told SecurityWeek that this is designed to mitigate against increasing man-in-the-middle attacks against e-commerce. If an attacker gets access to a merchant, then POODLE  or BEAST can gain access to the session.