The Council Surprises

So I posted my thoughts on where I thought the PCI SSC was headed with v4 of the PCI DSS and today the Council announced there apparently will be no v4. Instead we will get v3.2 of the PCI DSS and PA-DSS. And those new standards will be out sometime in the next month or two.

Read all about it on their blog post.

Not sure what to say or think as they have apparently decide the three year model for standards updates no longer needs to be followed after beating into our heads for the last seven years.


4 Responses to “The Council Surprises”

  1. 1 ErikR
    February 24, 2016 at 2:00 AM

    The most interesting part of the PCI SSC blog post is: “Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard”.

    Does this mean the end of the 3-year cycle? From now on, can we expect changes to be released at any time, rather than at scheduled intervals?

    • February 24, 2016 at 6:44 AM

      That is how I took it. The 3 year cycle is over.

  2. 3 PIN head
    February 22, 2016 at 10:06 AM

    Maybe they don’t want to take and review feedback and just push new requirements down on merchants in a more direct way and get them out faster. No need to get push back before putting out a new set of requirements. They can just ignore the push back once the requirements are set in stone.

  3. February 18, 2016 at 12:20 PM

    Nevertheless, I thought your comments in your previous entry about Requirement 9.9 were spot on!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2016
« Jan   Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: