It’s hard to believe that over a decade has passed since PCI DSS(Payment Card Industry Data Security Standard) was first introduced in 2004 as the information security standard for organizations that store, process or transmit cardholder data. Although it’s become a mature industry standard, two problems remain. First, breaches are still occurring, and second, “compliant” organizations are often the victims. According to the PCI Security Standards Council, analysis of recent cardholder data breaches and PCI DSS compliance trends reveal that many organizations don’t have processes in place to ensure that PCI DSS security controls are continuously enforced. However, the most recent release of PCI DSS 3.2 aims to address these shortcomings.
In hopes of changing the perception of PCI compliance from a “once-a-year” event to an on-going security process, PCI DSS 3.2focuses on giving organizations a chance to plan for and implement security processes that help mitigate against cyberattacks. Version 3.1 expires on October 31, 2016, and new requirements set for by the 3.2 release have a grace period, giving organizations until February 1, 2018, to meet them.