PCI DSS Lifecycle

Remember all that stuff about a three-year life cycle? Well, it’s now officially phase 4, the beginning of the feedback period! What needs fixing in your opinion? What needs clarification?

Theoretically, you should have had some time to investigate how the new version impacts your environment, and thought about implementation if not already validated against 2.0 this year. Unless your acquirer tells you otherwise, you will be validating against 2.0 next year.

So far, the biggest complaints I have heard from stakeholders is the lack of cloud and mobility as well as confusion around scope. One of my issues (which I am unsure if the Council is willing to solve) is around the sampling methodology and risk assessment thresholds that QSAs and ISAs must use when determining compliance.

Access the feedback tool at https://programs.pcissc.org/. Feel free to submit feedback to me and I can compile relevant portions and ship over to the Council.

And one final note, you only have three days left to vote on your favorite SIGs! Don’t get left out of the voting process! Which SIGs are most important to you?

This post originally appeared on BrandenWilliams.com.