Browsing Twitter last night brought me to this tweet about PCI DSS in 2016.
— James Adamson (@jameskadamson) February 25, 2016
Indeed, earlier this month the Council posted a blog that revealed that PCI DSS 3.2 was the next version of the Standard, and would be the only release in 2016. I’ve previewed the proposed changes in 3.2, and I think this is a good approach for the Council this year. We can continue to debate the efficacy of the standard ad nauseam, but unless we’re going to do a major overhaul of PCI DSS, tweaks are all we will get.
So why could this be the beginning of the end? It’s all a little tongue in cheek (something you guys should be used to by now). No major revisions signals the Standard is fairly mature. Then look at the players in the ecosystem and the moves they are making. Specifically, since Visa’s TIP program says that simply having an EMV terminal will exempt you from PCI DSS reporting, I think we’re close to the end of PCI DSS reporting for the majority of merchants.
Perhaps this is a debate we can pick up next week at RSA Conference! If you are coming out, be sure to hit me on Twitter and perhaps we can meet up between sessions or at an event.