The Gartner report said on August 13th, that PCI DSS 3.0 changes are bigger, harder and more expensive. We expected more details but not this difficult and demanding.
From earlier reports of clarity and detail regarding v3.0, companies expected it to be a whole lot simpler. Reality is, there are more security controls, more required detailed explanations and hence more expensive. “According to Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based Gartner Inc., PCI DSS 3.0 is about 27% larger than its predecessor.”
“There’s no two ways about it. It’s much bigger; it’s more thorough. A lot of what’s in there is a reaction to the [recent data] breaches,” Litan said. “It’s good [for] security, but it’s becoming incredibly onerous for most merchants.”
Requirement 11 is especially challenging meaning vulnerability assessment and penetration testing.
On the one hand all the rigor of PCI DSS v3.0 can be good for future technologies such as point-to-point and chip and PIN, but PCI compliance is definitely getting tougher and never going away.