Last week the PCI Security Standards Council released the next versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS), version v3.0.  The standards are updated over a three year cycle and are valid from the date of release.  The previous version can still be used for certifcation until 31 December 2014 giving companies plenty of time to adjust to the new requirements.  

 

The changes are mostly clarifications of the current requirements. A few have been combined and moved, but there really are no earth shattering changes.  

 

Unlike ISO 27001 there is a document of changes for each of the standards. These are available on the council's web site (www.pcisecuritystandards.org).  One of the more visible changes is that the standard, for each requirement, now provides a guidance statement that explains why the requirement is important.  In early 2014 the reporting requirements should be available which will provide insight as to what documentation and evidence needs to be available when facing an assessment.