Has the era of major revisions to the Payment Card Industry Data Security Standard come to an end? Some industry...
watchers believe the standard has reached a stage of maturity where only minor tweaks are required and organizations can now expect stability in the world of credit card compliance.
In February 2016, the PCI Security Standards Council published a blog interview with Troy Leach, the council's CTO, that announced the upcoming release of PCI DSS 3.2 and discussed the future of the standard. So what should merchants expect in PCI DSS 3.2 and how might the standard's release tempo change in the future?
Inside PCI DSS 3.2
Leach announced the latest revision to the standard will hit the internet sometime during the first half of 2016 and will hopefully be fully released in March or April. This bucks the typical release cycle of PCI DSS that had compliance experts expecting an update to the standard in November 2016. According to Leach, the release of PCI DSS 3.2 this spring replaces that update. "We are not planning any additional releases of PCI DSS during 2016," Leach said. "The version 3.2 release in the first half of 2016 replaces the expected fourth quarter 2016 release."
One of the major expected changes to the standard involves the scope of the requirement for multifactor authentication in cardholder environments. Currently, PCI DSS requirement 8.2 calls for the use of multifactor authentication for remote access to the cardholder data environment. Leach stated the council is considering "additional multifactor authentication for administrators within a cardholder data environment." Reading the tea leaves, it sounds like PCI SSC might plan to roll out a two-factor requirement for all administrator access to systems storing, processing or transmitting cardholder data.
Service providers should watch carefully for news on the new standard. In his blog post, Leach cryptically mentioned "incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers." DESV outlines a series of extra controls required for high-risk entities that have either suffered multiple breaches or are particularly risky targets. Leach's statement seems to imply that some of the controls found in DESV, such as conducting formal compliance reviews, scouring systems for the presence of cardholder data and conducting semi-annual user account reviews, might work their way into the PCI DSS baseline.
Leach also mentioned two other updates that organizations should expect to see in PCI DSS 3.2. First, the update will likely attempt "clarifying masking criteria for primary account numbers when displayed." That one is confusing because the current masking criteria seem pretty straightforward in requiring the masking of all but the first six and last four digits of account numbers. Second, the update will formalize the revised deadlines for SSL/TLS migration.
Is PCI DSS 3 the last major revision?
One of Leach's quotes in the article has social media abuzz with rumors that PCI DSS 3.2 will be the last major revision to the standard. To be fair, that's not quite what Troy said in the blog post. Here's his quote:
"The industry recognizes PCI DSS as a mature standard now, which doesn't require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard."
The bottom line is that we should expect to see continued minor revisions to the standard as the new normal, but Leach did not rule out future major revisions to PCI DSS. As the technology landscape changes, the advent of new threats and/or card processing technologies will likely require the release of PCI DSS 4.0 and other major revisions.
Find out if PCI DSS does enough to regulate mobile payment security
Learn what happens if an organization partakes in willful noncompliance
Discover what privacy regulations organizations should follow