New requirements and guidance from the Payment Card Industry Security Standards Council will be released to merchants in April, which is about six months earlier than its normal update cycle.
The PCI DSS 3.2 version represents the first update the council has released since 3.1 in April of 2015 and 3.0 in November of 2013. The council's revisions generally operate on a three-year cycle with releases in the fourth quarter of the update year.
But the council needs to stay abreast of hackers' fast-changing attack vectors and payments security technology. The council is likely to address the threat landscape through more incremental modifications rather than waiting for wholesale updates to the standard in the three-year cycle, PCI Council Chief Security Officer Troy Leach wrote in a recent blog post.
The council "is sensitive to the drastic changes that are happening with payment acceptance," specifically in the mobile space and EMV chip cards at the point of sale, Leach said.
Faster responses to fraud trends should be a welcome change in the payments and retail industries, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"From a security perspective, I think their move to smaller, incremental updates is positive, since the threat landscape moves so quickly," Conroy said. However, even small changes mean "new work and cost for merchants and acquirers, so I don't imagine this shift will necessarily be one that will have them jumping for joy."
An incremental update occurred late last year when the council released a 92-page document citing more security requirements and procedures for tokenization service providers using payment tokens as an EMVCo-registered provider. The growing number of token service providers, plus an expected specification from EMVCo for a payment account reference, or PAR, to match various tokens associated with a personal account number, made it important for the council to address the topic in depth.
PCI DSS 3.2 is expected to cover another important topic for merchants by further clarifying the deadline extension the council put in place in December regarding Web protocol security. The council established June 2018 as the new deadline for merchants to be compliant by converting their Secure Socket Layer protocol to a more secure version of Transport Layer Security.
SSL was coming under extensive malware attacks last year, prompting the PCI council to start warning merchants as early as April of 2015 to begin moving toward the TSL version 1.1 encryption or higher.
The initial deadline of June 2016 included the PCI-DSS 3.1 version, but the council considered the extension to assure 3.2 was included.
PCI DSS 3.2 is also expected to address additional multi-factor authentication for administrators within a cardholder data environment, in addition to supplemental validation for service providers and clarifying masking criteria for primary account numbers when displayed.
While details of the new guidelines are not yet available, many in the payments and retail industries will be monitoring the revised SSL dates and any guidance on multi-factor authentication, Conroy said.
"It should be a beneficial step forward from a security perspective given the fact that passwords are so easily attacked," Conroy added. "But it will entail additional cost for businesses who aren’t already doing this as security best practice."