Previously, the recommendation was an annual approach. Under the new standards, it's a quarterly recommendation, he said.
In addition, the new standard provides more information about what a penetration test should actually include.
"They've provided clarity - they've never before written it down," said Jeff Man, PCI security evangelist at Columbia, MD-based Tenable Network Security.
More systems covered
Previously, merchants could ignore systems that didn't hold card data or personally identifiable information.
Now, the PCI standard has expanded to include systems that say, might not actually store data, but would allow someone to look at data.
"This will result in more complex compliance assessments," said Agiliant's George in the report.
Sign up for CIO Asia eNewsletters.