The PCI Security Standards Council usually works to a three-year cycle for new releases of the Data Security Standard. The last major release (v3) was in November 2013 so we would be expecting v4 in November this year. However, the PCI SSC has announced that there will not be a new v4 release in November 2016. The first reaction for merchants and QSA’s may be a huge sigh of relief. Even if the content of the requirements doesn’t always change much, the Council has a habit of changing numbering and other details that result in a huge amount of work keeping tools and procedures up to date.
However, that sigh of relief may be premature! Instead of v4 in November, we can expect v3.2 in spring 2016. What might this bring?
Changes expected to appear in the PCI DSS v3.2
The first thing is the changed date for retiring the use of SSL and ‘early’ TLS as a security control. PCI DSS v3.1 prohibited these after 3 June 2016 but kickback from many merchants protesting that this was an unachievable timescale has led the Council to revise that date to 30 June 2018. This will be reflected in v3.2 and will be appreciated by many merchants.
Another likely change is a requirement for system administrators for systems within the cardholder data environment to use two-factor authentication. Given the reluctance of some merchants to meet the existing requirement for two-factor authentication for remote access, this may be a less welcome change.
The Council also talks about clarifying masking criteria for primary account numbers (PAN) when displayed. Whether this means changes to the digits permitted to be displayed, changes to what constitutes a ‘business need’ to see the full PAN or something else, it may give rise to a need to change processes or software.
Compliance is made business-as-usual activity
Version 3 of the standard put a greater focus on making compliance a business-as-usual activity. This was not so much in the requirements themselves – there have always been many requirements for regular or periodic actions – but in a couple of pages of recommendations and guidance in the introduction to the standard. In the meantime, the Council introduced the concept of a ‘Designated Entity’ and a ‘Supplemental Validation’ process. An example of a Designated Entity could be an entity that handles large amount if card data or had suffered significant breaches. The supplemental validation was all about making compliance a business-as-usual activity. Now, the Council says that it will incorporate some of these requirements into the standard.
These could include such things as:
- Management ownership, a charter and a formal programme for compliance
- Formally assigning roles and responsibilities for compliance
- More role specific training
- Quarterly revalidation of scope
- Verifying compliance for in-year new and changed systems
Whatever it contains, version 3.2 will become effective upon publication, although new requirements will have a lead-in time to allow organisations to prepare. The Council will retire Version 3.1 three months after version 3.2 is published.
We will provide additional information on the changes as this becomes available, but in the meantime please contact us for any further advice.
# # #
Stephen Hancock is an enthusiastic and creative information assurance specialist with experience in both private and public (local government, health and criminal justice) sectors. Stephen has specific expertise in IT audit and information security. and has supported and assessed organisations for PCI DSS compliance and implementing ISO27001. He has a particular interest in information assurance and governance and lists skills in performance management, transformation, change, risk assessment, audit and review of governance and project management (PRINCE2, MSP).
7Safe Information Security/PCI DSS Compliance Services
Looking for Cyber Security services you can trust – used by Government organisations and the Police? Click through to 7Safe’s information pages:
Or speak to one of our trained advisers in complete confidence on 0870 600 1667.
... before your organisation becomes the next high-profile victim of a cyber-attack.