We have just received news about the next version of PCI DSS which we initially expected at the end of the year according to the usual standard lifecycle.
However, following recent changes to the deadline for Secure Socket Layer (SSL) and early Transport Layer Security (TLS) migration, the release of PCI DSS 3.2 has been announced for early 2016.
In a recent blog post, the council’s CTO Troy Leach explains that the revision could be publish as early as March 2016.
What to expect?
Troy Leach confirmed that this is going to be the only release for year 2016 and there will not be any other version of the standard in October 2016 as initially planned.
The other important point to note is that changes are likely to be minor and essentially addressing the SSL/early TLS issues that arose over the past few months.
The standard tends to evolve primarily as a consequence of changes to the threat landscape and as a consequence of breaches being reported that use specific attack vectors that may or may not be well addressed by PCI DSS.
It is understood that one of these potential changes might well be a requirement to use multi-factor authentication for administrators within a cardholder data environment (as opposed to only for remote access to the network).
One important point to note is that version 3.2 will become effective as soon as it will be published. There will be a transition period whereby version 3.1 will still be usable but this period will end three months after 3.2 is published.
It is also very likely that most impacting changes will be considered best practices for a few months before becoming actual requirements to be enforced within an organisation that undergoes a PCI DSS v3.2 assessment.
What about PA-DSS?
A new version of PA-DSS is also expected about a month after PCI DSS 3.2 will be published. You can expect changes to affect the exact same areas, namely SSL/early TLS. No more information has been provided on other changes to the program at the time of this writing.
With SSL/early TLS being the main drivers behind the decision to move to v3.2 earlier than expected, we would recommend reviewing the guidance provided by the council regarding migrating from these protocols which are now considered non-acceptable for compliance and security purposes.
As usual, the team at Five Security is available to assist and answer your questions about the new versions of PCI DSS and PA-DSS.
Photo: Jim Merithew Creative Commons