August 2013, the PCI Security Standards Council published a heads-up about the new Version 3 and what is going to change. The standard will be introduced November 2013, but version 3.0 will introduce more change than version 2.0 which will remain in effect until December 2014.
What drove the change from V2 to V3?
The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Areas that were a challenge for everyone are:
- Lack of education and awareness
- Weak passwords, authentication
- Third-party security challenges
- Slow self-detection, malware
- Inconsistency in assessments
To quote the report: "Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today". One piece of this puzzle of course is security awareness training.
Other pieces are training on changing default passwords, users using strong passwords for authentication and protecting their credentials. I recommend you have a look at this document. It's just 9 pages and gives you a good overview.