The PCI SSC also notes that it develops the updates based on feedback from all stakeholders - card companies, banks, payment processors, hardware and software developers, merchants and assessors.
However, amid the ongoing debate, both critics and supporters welcome some of the new requirements that they say are long overdue.
The one getting the most praise is the requirement for "multi-factor" authentication "for any personnel with administrative access into environments handling card data," according to a summary by the PCI Security Standards Council (SSC), which develops and issues the PCI DSS updates. Previously, a two-factor authentication (2FA) requirement applied only to remote access from untrusted networks.
The change in language to "multi-factor" suggests that authentication should include at least three: "Something you know," like a password; "something you have," such as a token or certificate; and "something you are," which would include biometrics like a fingerprint or eyeball scan.
Mike Morrato, research director at Gartner, said the change is aimed at both internal and external users. "While many organizations have already enforced this for years, it hasn't been universal," he said. "It's a good security practice in general and strengthens part of the Identity and Access Management (IAM) component of PCI."
Indeed, Conroy noted the irony that, "so many criminal underweb sites require two-factor authentication (2FA) for admission, but so many merchants still have not implemented it for their point-of-sale (POS) terminals.
"The Verizon Data Breach Investigations Report this year further substantiated the need for this, with the stat that 63% of breaches are the result of weak, default or stolen passwords. The password's useful life as an authenticator is long past," she said, "and 3.2 finally accounts for that."
John Bambenek, threat systems manager of Fidelis Cybersecurity, agreed. Multi-factor authentication, "is something we've been advocating for almost 10 years," he said. "The tools that can do this are reasonably priced, and this will force the issue of actually implementing it."
Brett McDowell, executive director of the FIDO Alliance, is yet another fan of the change. "This is a trend we are seeing across industries and geographies," he said, "as we collectively come to the painful realization that single-factor authentication is no longer adequate protection and that we need multi-factor authentication in all scenarios where sensitive data is being accessed."
Other new mandates get more mixed reviews. The requirement for more pen testing, and to replace scanning with pen testing, "is a good practice on paper," Morrato said, "because technology advances so quickly that something that was once thought as secure or had enough compensating controls in place could very well become obsolete overnight"
But, he also noted, "pen testing is neither cheap nor quick. Often fixes can take a long time to implement. Erring on the side of security is the correct mindset here, but there's going to be some significant operating pain."
Sign up for CIO Asia eNewsletters.