The Payment Card Industry Security Standards Council recently released a preview of potential changes in PCI 3.0 that will go into effect in 2014.

It looks like they read the Verizon DBIR:

The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include:

  • Lack of education and awareness
  • Weak passwords, authentication
  • Third-party security challenges
  • Slow self-detection, malware
  • Inconsistency in assessments

Nothing is final, but a few highlights worth understanding now, since they may sure as heck nail you later:

  • Better current documentation of cardholder data flow and everything within PCI scope.
  • Penetration testing is a requirement. If they are serious about this I am not sure how that will play out for the SMB side of the world.

This one I’m darn curious to see how they handle. I predict total failure:

To address compromises where the organization had been PCI DSS compliant but did not maintain that status. Recommendations focus on helping organizations take a proactive approach to protect cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice.

  • An emphasis on consistency of assessments.
  • More specifics on “daily log reviews”. Oh my.

PCI isn’t totally worthless, but I don’t expect much practical improvement to come out of the 3.0 updates. These are very reasonable holes to address, and will help, but we may be about to burden many organizations with activities they cannot possibly support. Start your SaaS engines now…