The Payment Card Industry Security Standards Council will be releasing the updated PCI DSS 3.2 version this April - six months earlier than anticipated.
The PCI DSS 3.2 version is the first update the PCI council has released since April 2015 and includes new guidelines and requirements. In the past, the council operated on a three-year cycle for revisions that were typically released during the fourth quarter of that updated year.
Although specifics of the latest guidelines are still not accessible, numerous organizations within retail and payments plan to observe the revised SSL dates and any support on multi-factor authentication.
"It should be a beneficial step forward from a security perspective given the fact that passwords are so easily attacked," Conroy added. "But it will entail additional cost for businesses who aren’t already doing this as security best practice."
In order to stay on top of payment security technology and the current techniques hackers are using, the council is expected to tackle the threat with incremental modifications routinely instead of waiting every three years.
PCI Council Chief Security Officer, Troy Leach mentioned the council “is sensitive to the drastic changes that are happening with payment acceptance, specifically in the mobile space and EMV chip cards at the point of sale.”
Quicker reactions to certain trends of fraud should be an expected change within the retail and payments industries.
"From a security perspective, I think their move to smaller, incremental updates is positive, since the threat landscape moves so quickly. However, even small changes mean new work and cost for merchants and acquirers, so I don't imagine this shift will necessarily be one that will have them jumping for joy,” said Julie Conroy, research director and fraud expert with Aite Group.
At the end of 2015, an additional update was released of a 92-page document that cited extra security procedures and requirements for tokenization service providers who used payment tokens as an EMVCo-registered provider. The increasing amount of token service providers made it necessary for the council to acknowledge the issue in greater detail.
PCI DSS 3.2 is likely to recognize extra multi-factor verification for administrators in a cardholder data setting, clarify hidden criteria for primary account numbers that are shown, and supplement validation for service providers.
PCI DSS 3.2 is also projected to discuss another vital topic for merchants by explaining the deadline extension that was mandated last December for web protocol security. The council decided June 2018 as the updated time frame for merchants to become compliant by changing their Secure Socket Layer protocol to an advanced type of Transport Layer Security.