The PCI Securities Standards Council said Wednesday that the next iteration of the Payment Card Industry data-security standard will be coming in the first half of this year, probably in March or April, about six months earlier than called for in the current update cycle.
The new version, dubbed PCI DSS 3.2, will succeed Version 3.1. The PCI Councilmade its last major revision of the DSS, Version 3.0, in November 2013. Under the existing three-year refresh cycle, an update of the main set of data-protection rules with which payment processors and card-accepting merchants must abide normally comes in the fourth quarter.
There are several reasons for the early release, the Wakefield, Mass.-based PCI Council said in a blog post. One is that the Council has already announced a major change, that being a two-year migration away from outdated Secure Sockets Layer encryption technology (SSL) and early versions of its successor, Transport Layer Security (TLS).
In addition, “the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past,” PCI Council chief technology officer Troy Leach said in the post. “Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.” The PCI Council issued Version 1.1 of the DSS in 2006.
Leach also said that the Council “is sensitive to the drastic changes that are happening with payment acceptance,” including the coming of mobile and EMV chip card payments, and wants to give organizations time to adapt to new rules and requirements in Version 3.2.
“Any new requirements in the standard will have a longer sunrise date,” Leach tells Digital Transactions News. “But it will be very focused, there are only a few areas that we are addressing.”
In addition to the SSL migration, changes in Version 3.2 are expected to cover multifactor authentication and validation requirements for third-party service providers that process, aggregate, or store cardholder data, according to the post.
The Council also plans to update a major companion standard that covers card-processing software, the Payment Application data-security standard, about a month after the new version of the main standard is released.