The PCI Council has gifted us with a new version of the standard that, like the previous one, does not bring major changes for organizations. In addition to the changes concerning the clarification of certain requirements of the standard (called "clarifications"), the changes relate to:
a new requirement for service providers that must document the cryptographic architecture (3.5.1), detect and report security control errors (10.8), perform penetration tests every 6 months (18.104.22.168), clearly document PCI DSS compliance responsibilities (12.4), and quarterly confirm compliance with PCI DSS requirements by those responsible in operations (12.11),
the change management process must include an assessment of the impact on PCI DSS compliance (6.4.6),
remote access (anything other than console access) must now use multifactor authentication (8.3).
All changes are mandatory for application no later than February 1, 2018. except for resolving the risk related to the TLS 1.0 protocol, which must be removed by July 1, 2018. For those who intend to be certified for the first time, by October 31, 2016. I can still do that according to the previous version of the standard (3.1.).
In addition to the new requirements, some editions of previously independent documents (eg Designated Entities Supplemental Validation - DESV) have been incorporated into the standard.