PCI DSS 3.2 will be more of an incremental than major standards update when it is later released in mid-2016.


The PCI Security Standards Council announced it will publish a new version of the PCI Data Security Standard sometime in either March or April, and PCI DSS 3.2 will be the only release for the year.  The aim, according to the council, is to release early and include long sunrise dates in order to allow organizations more time to deal with changes related to the EMV (Europay, MasterCard and Visa) chip rollout.

“First, we must address the revised migration dates away from SSL and early TLS [Transport Layer Security],” Leach said. “Second, the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard.”

Organizations should be aware that PCI DSS 3.2 will become effective immediately when it is released, and version 3.1 will be retired a short three months later. This means any PCI DSS 3.1 assessments in progress would need to be completed by either June or July, depending on when version 3.2 is published.