PCI Data Security Standard (PCI DSS) version 3.2 was published in April 2016. In this blog post we talk with PCI SSC Senior Director of Data Security Standards Emma Sutcliffe about the standards development process and plans for updating PCI DSS.
When can the industry expect the next version of PCI DSS?
Emma Sutcliffe: A feedback period for PCI SSC Participating Organizations to provide input on the current versions of PCI DSS and the Payment Application Data Security Standard (PA-DSS) is planned for this year. Based on this feedback and market need, we will evaluate if and when a revision is needed, and update stakeholders accordingly.
As with any standard update, there will be transition periods provided for organizations to adapt to the new version without falling out of compliance. As an example, new requirements introduced in PCI DSS version 3.2 are best practices until 31 January 2018.
How does the standards update process work?
Emma Sutcliffe: PCI Security Standards are updated based on industry feedback, ongoing research into market needs, and changes in the threat and technology landscape. One of the primary channels is the formal feedback period for Participating Organizations, which is planned to start within the next couple months. We also continuously monitor other industry bodies for updates or changes that may impact the standards. A recent example is the deprecation of SSL/early TLS as a secure protocol, and the migration timelines that were included in the last revisions of PCI DSS and PA-DSS.
What can you tell us about the PCI SSC’s strategic view for the future of the PCI DSS?
Emma Sutcliffe: The PCI Data Security Standard is a mature standard, addressing essential elements of data security. While we will continue to evolve the standard as needed, our focus looking ahead is how we can we increase and improve adoption of these data security essentials for businesses of all sizes and types. We are working with the industry on ways in which we can provide greater flexibility for organizations to focus on the security controls needed to protect payment data and reduce risk for their payment environments, and to demonstrate that they have these practices in place.