The PCI Council’s Chief Technology Officer Troy Leach said, “we are sensitive to the drastic changes that are happening with payment acceptance – from advancements in mobile payments to EMV chip rollout in the United States, to adoption of other forms of dynamic data and authentication. By releasing the standard early, with long sunrise dates, organizations can evaluate the business case for their security investments. This also allows us more time to dedicate to security priorities for those specific payment channels in the future.”
Version 3.2 will,
- evaluate additional multi-factor authentication for administrators with a cardholder data environment
- incorporate some of the designated validation criteria for service providers
- clarify masking criteria for Primary Account Numbers (PAN)
- clarify dates for SSL to TLS
PA-DSS will also have updates to align with PCI DSS. Additional guidance and updates will be created to help with the implementation of the updates.
Leach also reiterated that companies should regularly evaluate ‘how it accepts payments and whether it can reduce the risk to its customers and its organization by changing business practices for cardholder data exposure; evaluate newer payment technology like tokenization and encryption; and confirm its third party service providers understand the importance of the upcoming changes as well.’