“The new standards are here! The new standards are here!” Well, almost.
On Tuesday, August 27, at 11AM EDT and Thursday, August 29, at 2PM EDT, Bob Russo of the PCI SSC will discuss the Summary of Changes of what we can expect to be in the new versions of the PCI DSS and PA-DSS.
According to this Webinar announcement, the new standards are expected to be published in November. Given how the last standard release went, I found it rather humorous that the announcement did not explicitly state the year. Thus giving the PCI SSC wiggle room should they go past this coming November and decide to release the new standard a year from this coming November.
Remember, this is only a discussion of the Summary of Changes document. Those of you that were around for the release of v2.0, the Summary of Changes documents know that they did not provide a good idea of the real changes to the standards. My favorite phrase in the v1.2.1 to v2.0 Summary of Changes was “minor wording changes for consistency.” It was only until we got the real copies of the actual standards that we realized that “minor wording changes for consistency” was more often than not code for “read this requirement carefully, as there were a lot of changes in how the QSA should interpret the requirement.” Hopefully, the PCI SSC learned from the last release of the standards and will provide more guidance in v3’s Summary of Changes.
The other thing I hope that Mr. Russo will discuss is when the supporting documents, such as the Navigating and Reporting Instructions guides, will be released. In the case of the v2.0 Reporting Instructions document, we got it the first day of the following year’s PCI Community Meeting (almost a year later). This is probably the most important document of the lot because it explains the standard to which QSAs will be held for producing their Reports On Compliance. This was the reason most QSACs did not adopt the new standard as they were leery of being put into remediation by the PCI SSC when the reporting standards had not been published. This was a very real threat as it had happened with v1.2.1 where reporting instructions were released after some QSACs had been put into remediation.
The PCI SSC’s announcement states that this Webinar will discuss:
- The process for developing PCI Security Standards
- The key changes to the standards and how they impact organizations’ efforts to protect payment card data
- The timeline for delivery of the updated standards
If you wish to attend the Webinar, you can register here.
