With the December 2015 bulletin extending the deadline for Secure Sockets Layer (SSL)/Early Transport Layer Security (TLS) migration, the PCI Council announced it would publish a new version of the PCI Data Security Standard (PCI DSS) in early 2016 to include the revised migration dates and address changes in the threat and payment acceptance landscape.
In this blog post we talk with PCI Security Standards Council Chief Technology Officer Troy Leach on what to expect with the release of PCI DSS 3.2, and how organizations can start planning for it now.When will PCI DSS version 3.2 be released?
Troy Leach: The Council will publish the revision in the first half of 2016 – we are aiming for the March/April timeframe. We will keep stakeholders informed as we move closer to that date.
Why now and not later in the year, when new versions are typically released?
Based on what you’re saying, there is no expectation of a PCI DSS release in November 2016?
Troy Leach: Several reasons. First, we must address the revised migration dates away from SSL/early TLS. Second, the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard. Finally, we are sensitive to the drastic changes that are happening with payment acceptance - from advancements in mobile payments to EMV chip rollout in the United States, to adoption of other forms of dynamic data and authentication. By releasing the standard early, with long sunrise dates, organizations can evaluate the business case for their security investments. This also allows us more time to dedicate to security priorities for those specific payment channels in the future.
What changes are expected?
Troy Leach: That’s correct. We are not planning any additional releases of PCI DSS during 2016. The version 3.2 release in the first half of 2016 replaces the expected fourth quarter 2016 release.
How long will organizations have to move over to PCI DSS 3.2?
Troy Leach: When making changes to the standard, in addition to market feedback, we look closely at the threat landscape, and specifically what we are seeing in breach forensics reports as the trending attacks causing compromises. With this in mind, for 3.2 we are evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers; clarifying masking criteria for primary account numbers (PAN) when displayed; and including the updated migration dates for SSL/early TLS that were published in December 2015.
Will there be an update to PA-DSS too?
Troy Leach: As usual, there will be a transition period, and we will keep everyone informed as we approach publication. Version 3.2 will become effective as soon as it’s published, and version 3.1 will be retired three months later to allow organizations to complete PCI DSS v3.1 assessments already under way. Keep in mind, though, that new requirements always have a sunrise date prior to them being effective. This allows organizations to plan accordingly prior to validating to new PCI DSS requirements. The new requirements will be considered best practices for a sunrise period to be determined based on the release date.
Will the Council publish updated guidance along with the publication of PCI DSS 3.2 and PA-DSS 3.2?
Troy Leach: Yes, the changes to PA-DSS will align as needed with those made to PCI DSS. We plan to publish PA-DSS 3.2 in the month following release of PCI DSS 3.2. We’ll provide instruction to PA-DSS application vendors and assessors on how this update impacts their programs.
What can organizations be doing now to prepare for adopting the new standard?
Troy Leach: The revised standards will be accompanied by a Summary of Changes document for each standard. Additionally, guidance and Frequently Asked Questions will be created or updated as needed, as well as all our training material.
Troy Leach: It is a healthy practice for any company to regularly evaluate how it accepts payments and whether it can reduce the risk to its customers and its organization by changing business practices for cardholder data exposure; evaluating newer payment technology like tokenization and encryption; and confirming its third party service providers understand the importance of the upcoming changes as well. The revision of PCI DSS is as good a time as any to reevaluate how to minimize effort while improving security posture.
As a reminder, the SSL/early TLS updates in PCI DSS v3.2 are those made public in December. Organizations can and should already be addressing this issue, starting with reviewing the Bulletin on Migrating from SSL and Early TLS now for more information on where to begin with migration and taking advantage of the guidance and resources outlined.