PCI Council says bye-bye to big bang standards upgrades

The PCI Security Standards Council is inching towards a “March/April timeframe” release of version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS).

The headline item in the update will be the revised and rather later dates for migration away from Secure Sockets Layer (SSL)/Early Transport Layer Security (TLS). The Council originally planned for migrations to be complete by the middle of this year, but in the shadow of Christmas 2015 decided June 2018 is a better date as big banks have struggled to make the move.

The Council's chief technology officer Troy Leach has also signalled that future editions of the Standard won't represent big bangs. “Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard,” he writes. Leach also says that “... for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed”.

Another nugget of news Leach dropped into the Q&A we've linked to above is that version 3.2 of PCI DSS will be 2016's only release, in part to let you call get on with your SSL and TLS migrations rather than wrestling with a new set of requirements. ®