On August 15, 2013, the Payment Card Industry Security Standards Council (PCI SSC), an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards, issued a preview of the anticipated changes to the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) to be released in November 2013 (Version 3.0). This document is intended to prepare stakeholders for aligning their security programs with the updated Standards and to provide additional time for the merchants to review and understand the changes prior to their implementation. Stakeholders will also be able to participate in Community Meetings in September and October 2013 in order to review and discuss these changes.
The updated versions of PCI DSS and PA-DSS will:
- Provide stronger focus on some of the greater risk areas in the threat environment
- Provide increased clarity on PCI DSS and PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all entities implementing, assessing, and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks/threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub-requirements and consolidate documentation.
The issued document is at the stage for informational purposes only and does not replace the current Standards. The planned publication date of Version 3.0 of PCI DSS and PA-DSS is November 7, 2013, and they will become effective on January 1, 2014. However, in order to ensure adequate time for organizations to transition to the new Standards, Version 2.0 of the Standards will remain active until December 31, 2014.
The full change highlights document can be accessed here.