PCI DSS version 3.2, scheduled for release in the first half of 2016, likely March or April, will address the current threat landscape as well as “trending attacks causing compromises” detailed in current breach forensics reports, PCI Security Standards Council Chief Technology Officer (CTO) Troy Leach said in a blog post Q&A.
“With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed,” Leach said.
New versions of PCI DSS are typically released in the fall, but the council moved 3.2's debut up, in part, to “address the revised migration dates away from SSL/early TLS,” Leach said. In a December bulletin, the council extended the deadline to June 30, 2018 for organizations to complete migration from Secure Socket Layer and Transport Layer Security 1.0 to a secure TLS iteration.
An early release also acknowledges PCI DSS's status as a “mature standard” that doesn't need significant updates any longer. “Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard,” he said.
Leach also noted that a spring release “with long sunrise dates” gives organizations time to do the business case for their security investments in the drastically changing payment acceptance market “from advancements in mobile payments to EMV chip rollout in the United States, to adoption of other forms of dynamic data and authentication.” An earlier release “allows us more time to dedicate to security priorities for those specific payment channels in the future,” he explained.
Additionally, the organization will release changes to PA-DSS a month after PCI DSS 3.2 is unveiled.
As is customary, the council will retire version PCI DSS 3.1 three months after it releases version 3.2.