The PCI Security Standards Council announced it will publish a new version of the PCI Data Security Standard sometime in either March or April, and PCI DSS 3.2 will be the only release for the year.
The aim, according to the council, is to release early and include long sunrise dates in order to allow organizations more time to deal with changes related to the EMV (Europay, MasterCard and Visa) chip rollout. In a blog post about PCI DSS 3.2, Troy Leach, CTO of the PCI Security Standards Council, said the decision was made to move to a single release earlier in the year for a number of reasons.
“First, we must address the revised migration dates away from SSL and early TLS [Transport Layer Security],” Leach said. “Second, the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.”
Leach said the PCI Council also recognizes an early release may help retailers dealing with the drastic changes with payment systems being transitioned to EMV chip and PIN and contactless payments in the U.S.
While there aren’t any major changes on tap for PCI DSS 3.2, there are some important modifications. According to Leach, the PCI council took into account market feedback and trending attacks found in breach forensics when deciding what changes to make.
“For 3.2, we are evaluating additional multifactor authentication for administrators within a cardholder data environment; incorporating some of the designated entities supplemental validation criteria for service providers; clarifying masking criteria for primary account numbers when displayed; and including the updated migration dates for SSL and early TLS that were published in December 2015,” Leach said.
Organizations should be aware that PCI DSS 3.2 will become effective immediately when it is released, and version 3.1 will be retired a short three months later. This means any PCI DSS 3.1 assessments in progress would need to be completed by either June or July, depending on when version 3.2 is published.
According to Leach, the upcoming release of PCI DSS 3.2 “is as good a time as any to re-evaluate how to minimize effort, while improving security posture.”
“It is a healthy practice for any company to regularly evaluate how it accepts payments, and whether it can reduce the risk to its customers and its organization by changing business practices for cardholder data exposure; evaluating newer payment technology, like tokenization and encryption; and confirming its third-party service providers understand the importance of the upcoming changes, as well,” Leach said.
Learn how companies are doing in regard to PCI compliance with the Verizon 2015 PCI report.
Learn how to create a PCI DSS 3.1 migration plan to TLS 1.2.