Thursday, February 18, 2016

Where 4.0 Art Thou, PCI DSS?

In a not completely surprising move yesterday, Troy Leach of the Payment Card Industry Security Standards Council (PCI SSC) announced that there would not be a new, version 4.0 of the PCI Data Security Standard (PCI DSS) released in November of 2016. There will be a version 3.2 of PCI DSS released in the first part of this year.
The PCI SSC posted information on version 3.2 of the PCI DSS on their blog yesterday. As expected, the version of the standard will extend the sunset date for SSL V3 and early versions of TLS from June 30, 2016 to June 30, 2018. But there will be other changes to the standard and it sounds like they are still working out exactly what will be included. As with previous updates, the Council has taken market feedback into consideration, but they also look deeply into the current threat landscape. This includes the results of forensic investigations in current breaches.
Some of the changes may include multi-factor authentication for system administrators from within the cardholder data environment, clarification of guidelines covering the masking of displayed card numbers, and incorporating parts of the Designated Entities Supplemental Validation (DESV) for service providers.
When asked why v3.2 was coming out now instead of the fall, Leach mentioned the SSL remediation change and seemed to confirm that the three-year life cycle of the standard was a thing of the past:
"...the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard."
He also says that these incremental changes will allow the Council to focus more of its time on emerging technologies, which are rapidly changing the ways in which payment cards are accepted.

No comments:

Post a Comment