The PCI Council has announced expected changes to the PCI DSS and PA-DSS standards for the upcoming 3.0 release in November. Key focus areas include the lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.
While the updates are still under review by the PCI community, proposed updates include:
- Recommendations on making PCI DSS business-as-usual and best practices for maintaining PCI DSS compliance
- Security policy and operational procedures built into each requirement
- Guidance for all requirements with content from the Navigating PCI DSS Guide
- Flexibility and education regarding password strength and complexity
- Requirements for point-of-sale terminal security
- Requirements for penetration testing and validating segmentation
- Considerations for cardholder data contained in memory
- Enhanced testing procedures to clarify the level of validation expected
- Expanded software development lifecycle security requirements for PA-DSS vendors, including threat modeling.
Final changes to the standards will be determined after PCI Community Meetings and published in November. Registration for the 2013 Community Meetings is available here. Additionally, the Council will host a webinar series to outline the proposed changes; registration available here. PCI DSS and PA-DSS 3.0 will become effective on January 1, 2014.