PCI Updates Unveiled

No New Requirements Proposed in Version 2.0 of Security Standard
PCI Updates Unveiled
The long-anticipated new version of the Payment Card Industry Data Security Standard includes no new requirements - just clarifications and new guidance on existing components.

This is the headline news from the PCI Security Standards Council, which has just released a summary of the expected changes to PCI DSS and the Payment Application Data Security Standard.

A more detailed summary of the proposed versions 2.0 of PCI DSS and PA DSS will be released in September, prior to the council's community meetings. The final version of the amended standards is expected to be released on Oct. 28, then go into effect on Jan. 11, 2011.

"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," says Bob Russo, general manager of the council. "With the changes to the PCI DSS and PA DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."

Summary of Changes

There are 12 proposed changes in versions 2.0 of the standards. The changes fall into three main categories:

  • Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
  • Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
  • Evolving Requirement: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.

Key updates include:

  • Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides;
  • Support for centralized logging included in PA DSS to promote more effective log management;
  • Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities;
  • Greater alignment between PCI DSS and PA DSS to facilitate stronger security practices.

This summary of changes comes after the announcement in June that the council is moving all three of its standards to follow a three-year development lifecycle period, starting with the release of updated versions of the PCI DSS and PA DSS in October of 2010. A consistent, transparent lifecycle for all council-managed standards is intended to simplify the implementation process for the entire payment industry.

What's Missing, What's Next

Tokenization and encryption - two of the technologies most frequently referenced by critics of PCI - did not make it into the new versions. "There will be additional guidance coming later in the year, so at the community meeting as well as after the community meeting, we will be issuing guidance on CHIP, point-to-point encryption and tokenization," Russo says. "We'll be letting people know that if they are using one of these layered security technologies, this is how it lines up with the standard."

A more detailed summary of changes and pre-release versions of the revised standards will be released in early September, before the community meetings in Orlando, FL, on September 21-23, and Barcelona, Spain in October 18-20.

"If, in fact there are any 'aha' moments that we get at these community meetings," Russo says, "We still have the ability to make some adjustments and tweaks to the standard."

The final 2.0 versions will be released on October 28. Then these standards are scheduled to go into effect after the Christmas holiday season, starting January 11, 2011.

See also: Exclusive interview with Bob Russo about the PCI update.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network