2016 saw an unprecedented move by the independent industry standard body, the PCI Security Standard Council (PCI SSC), who develop and manage the payment card industry security standards. The PCI Data Security Standard (PCI DSS) followed a well-defined 36-month lifecycle for major releases to the standard which is designed to protect cardholder data. In 2016 a new major release in PCI DSS Version 4.0 was due, however, in a PCI SSC Press Release on the 28th April 2016, PCI SSC announced a minor release of PCI DSS to Version 3.2, replacing PCI DSS Version 3.1, which was itself a minor release of PCI DSS Version 3.0 released in April 2015.
As detailed within the PCI DSS Version 3.2 press release, the then PCI Security Standards Council General Manager Stephen Orfei said:
“The payments industry recognises PCI DSS as a mature standard, so the primary changes in version 3.2 are clarifications on requirements that help organisations confirm that critical data security controls remain in place throughout the year and that they are effectively tested as part of the ongoing security monitoring process.”
Additionally, within this same press release, the PCI Security Standards Council Chief Technology Officer Troy Leach told the PCI community to expect more incremental releases to the PCI DSS saying:
“Moving forward, we expect incremental revisions like those in version 3.2 to address evolving threats to the payment landscape, with a focus on helping companies use this standard as a good framework for everyday security and business best practice.”
During the PCI SSC European Community Meeting, the PCI SSC announced plans to release a minor update to PCI DSS in 2018. Yesterday the PCI SSC released PCI DSS Version 3.2.1. This release is very minor which is not expected to introduce any new requirements. This release removes ‘best practice’ dates that expired in Feb 2018 and are now new requirements within the standard. Additionally, within Appendix A2 clarification has been added to ensure the PCI community understands that as of the 30th June 2018, SSL/early TLS cannot be used as security control, apart from for POS POI terminals and the endpoints of service providers supporting these POS POI terminal connections. The update also fixes some typographic, grammatical and formatting errors within the standard. For details of the updates, see the Summary of Changes from PCI DSS Version 3.2 to 3.2.1 document released by the PCI SSC.
It is anticipated that the next major release of PCI DSS is expected in 2020. Yesterday the PCI SSC released a post talking to Troy Leach titled ‘PCI DSS Now and Looking Ahead‘ which provides more insights into this release and the next major release.