The PCI DSS 3.0 changes are to be released in November and were created to do the following:

Provide stronger focus on some of the greater risk areas in the threat environment.
Provide increased clarity on PCI DSS and PA-DSS requirements.
Build greater understanding on the intent of the requirements and how to apply them.
Improve flexibility for all entities implementing, assessing, and building to the standards.
Drive more consistency among assessors.
Help manage evolving risks and threats.
Align with changes in industry best practices.
Clarify scoping and reporting.
Eliminate redundant sub-requirements and consolidate documentation.

Although the proposed updates are still under review before the final version, proposed changes for organizations include the following:

Keep a current diagram that shows how cardholder data flows to clarify cardholder data flows within the network.
Maintain an inventory of system components in scope for PCI DSS to support effective scoping practices.
Evaluate evolving malware threats for systems not commonly affected by malware to promote ongoing awareness and to protect systems from malware.
Update lists of common vulnerabilities in alignment with OWASP, NIST, SANS and other security organizations to secure coding practices and keep current with emerging threats.
Implement security considerations for authentication mechanisms such as physical security tokens, smart cards and certificates, to address requirements for securing authentication methods other than passwords.
Protect POS terminals and devices from being tampering with to address physical security of payment terminals.
Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective.
Maintain information that states which PCI DSS requirements are managed by service providers and which are managed by the entity.

Service providers must acknowledge responsibility for maintaining applicable PCI DSS requirements.

Instant Insights /

PCI DSS 3.0 Changes Focus on Risks, Simplifies Compliance