23. February 2016. - As the deadline for SSL/TLS migration is extended in the December 2015 bulletin by PCI Council, a new version of the PCI Data Security Standard (PCI DSS) would be published in early 2016 to include the revised migration dates and address changes in the threat and payment acceptance landscape.
The PCI Security Standards Council (PCI SSC, owner of the PCI standard family)
announced new publishing information about the PCI DSS version 3.2. In the blog post of the Council, an interview is published with Chief Technology Officer Troy Leach on the expectations regarding the new release of the Standard.
Click here to read the full interview.
The previous main version change happened in November of 2013 when the PCI Council published the PCI DSS 3.0. The issue date of the next version would be in November 2016, according to the lifecycle of the Standard. However, several major events appeared since 2013, among others, serious vulnerabilities were discovered in the widely used SSL and early TLS protocols. Based on these, new malwares also appeared worldwide. As an answer for the new threats, the PCI SSC published PCI DSS 3.1 which restricted the use of the insecure version of the above protocols. Other than a few exceptions, new implementations based on SSL or early TLS cannot be applied and the existing implementations must be migrated to TLS 1.1 or 1.2 versions by
30th of June, 2018.
Mirroring these changes, the PCI Council plans to publish the new release of PCI DSS with version number 3.2. This release date will also replace the original announcement date in November, 2016.
According to the plans, the new release of the Standard will be
effective immediately after publishing, the current 3.1 version will retire
three months later. During the transition period, assessments started based on the previous version can be completed without any impact. After the transition period, assessments can be performed only based on 3.2 version.
The new version of the Standard does not only contain the changes related to SSL/TLS requirements, it will also reflect the recent significant changes in the payment card industry such as the progress in mobile payment or EMV chip rollouts.
Along with the changes of PCI DSS,
PA-DSS (Payment Application Data Security Standard) will be updated as well. Based on the plans, the new PA-DSS 3.2 will be published in the month following the release of PCI DSS 3.2.