Today the PCI SSC published a minor revision to the PCI Data Security Standard (PCI DSS) to account for dates that have already passed, such as the 1 February 2018 effective date for new requirements and Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration dates.
Here we talk with PCI SSC Chief Technology Officer Troy Leach about the impact of this update, and what stakeholders can expect for the future of the PCI DSS.
Why this revision now?
Troy Leach: With the 2018 dates within PCI DSS v3.2 passing, we wanted to provide the necessary changes to reflect that update and provide clarity to existing positions such as exceptions for use of SSL/early TLS beyond those dates for POI (point of interaction) devices not exposed to currently known risks and their termination points.
Is there a transition period from PCI DSS v3.2 for organizations to adopt PCI DSS v3.2.1?
Troy Leach: Yes, entities transitioning between version 3.2 and 3.2.1 of the standard will have six months after 1 July 2018 to complete their transition to the new version of the standard. PCI DSS v3.2 will remain valid through 31 December 2018 and will be retired as of 1 January 2019. Prior to 1 January 2019, entities may validate to either version 3.2 or 3.2.1 of the standard. As of 1 January 2019, all validations must be to at least v3.2.1.
This transition period is intended to allow sufficient time for entities to update their reporting templates and forms. It also provides flexibility for entities whose validations in the latter half of 2018 encompass the completion of their migration from SSL/early TLS prior to 30 June 2018. Entities completing their 2018 assessments, reporting and validation efforts in the second half of the year can utilize the version of the standard that best addresses their reporting needs.
When will Self-Assessment Questionnaires (SAQ) be available for PCI DSS v3.2.1?
Troy Leach: We anticipate updated SAQs will be available by the end of June. The SAQs will incorporate the updates introduced in PCI DSS v3.2.1. Additionally, we are planning to update SAQ A to include Requirement 6.2, for merchants to ensure security patches are applied to their webserver environment, including applying critical security patches within 30 days. This change is necessary to address current threats and compromises impacting e-commerce redirection servers.
The Report on Compliance (ROC) Template and Attestations of Compliance (AOC) will also be published in June to support PCI DSS v3.2.1.
PCI SSC conducted a formal feedback period on the PCI DSS with Participating Organizations and assessors at the end of 2017. What is PCI SSC planning to do with the feedback received?
Troy Leach: The feedback received from Participating Organizations and assessors was part of the update process for PCI DSS v3.2.1 and is being reviewed now as we consider more significant changes for the next major version of the PCI DSS. We are working through these comments and considering how advancements in payments are evolving the approach to securing payment data. The next major version of PCI DSS is not anticipated for release prior to 2020, but PCI SSC will keep stakeholders informed on its development and timing of publication as this effort progresses.
What can you tell us now about future plans for updating the PCI DSS?
Troy Leach: Our focus for evolving all PCI Security Standards is both to improve security of cardholder data and enable solutions that devalue payment card data and remove the incentive for criminals to steal it.
For PCI DSS specifically, minor revisions made in recent years underscore the maturity of the standard. As we consider future changes, we are specifically looking at ways in which we can provide greater flexibility for organizations to focus on the security controls needed to protect payment data, recognize changes in technology as well as data assets that reduce risk for their payment environments.