The Payment Card Industry Standards Council recently published a document that previews the changes in the coming Version 3.0 of the PCI Data Security Standards. A short summary of the changes:
- More reporting - PCI DSS 3.0 will require card holder data flow diagrams, inventory lists of what is in-scope and evaluations of "evolving malware threats for systems not commonly affected by malware" For you Critical Security Controls fans, these map to Controls 1, 2, 5 and 19 so they are valid security areas. But they do add more documents that an organization must product to satisfy QSAs.
- Clarification - it appears there will be additional explanatory guidance around penetration testing, application vulnerabilities, acceptable methods of authentication and details of acceptable key management processes. Those are all areas that have long needed some clarification, but as the old saying goes, the devil is in the details. Until I see the full text, can't really opine whether the clarification actually made anything clearer.
What's missing is any announcement of any changes to the PCI compliance process. There was no discussion of limiting the remediation services QSAs who do an evaluation can offer - this lack of separation has undermined the PCI process for nearly a decade now. That issue, that whole process, needs much more than just tinkering around the edges.