PCI DSS Clarifications Coming

Council Will Offer Compliance Insights
PCI DSS Clarifications Coming

The PCI Security Standards Council next week will provide clarifications about how merchants, acquirers and others should comply with the PCI Data Security Standard. But the council won't formally update the standards until next year.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The council recently solicited feedback about PCI-DSS compliance challenges. "We found that the industry wanted more specific information about things like updates to password requirements and how those updates will help to enhance security," says Bob Russo, general manager of the council.

"They wanted clarification about testing procedures and how to get adequate coverage," he adds. And most asked for more details about sufficient PCI testing procedures, ongoing compliance and determining what is in-scope - identifying which parts of the environment have to comply with PCI, he adds.

The council will provide compliance clarifications at its bi-annual North American Community Meeting in Orlando, Fla., which runs Sept. 12 through 14. The council will address version 2.0 of the PCI Data Security Standard and the Payment Application Data Security Standard.

PCI Feedback

A summary of the feedback on compliance issues is available on the PCI SSC's website. A more detailed list of the comments and questions will be provided to meeting registrants.

Russo says many PCI-DSS clarification requests related to encryption standards and key management. "No one had any problems with the standard," he adds. "They just want to know how they can get the most out of it."

And clarifying those points is critical, Russo says, in light of recent breach incidents.

In the wake of POS attacks at merchant locations throughout the United States, from the Michaels craft store chain to Subway and Penn Station, the PCI Council is taking PCI compliance education seriously.

Last month, the council took a direct step to address merchant vulnerabilities through the launch of a new training and certification program aimed at the third-party POS device installers and systems integrators. The new Qualified Integrators and Resellers Program was created in response to those recent attacks, which, in many cases, could have been prevented if PCI precautions had been followed, Russo says.

Russo says PCI compliance and testing hinge on having the right integrators and security assessors in place.

Compliance: A Global Standard

Russo also points out that more than half of the compliance comments received came from organizations outside the United States, which illustrates how interest in the standard is spreading globally.

"For so long, many people looked at PCI-DSS and kept thinking of it as just a U.S. standard," he says. "But this is a global standard, and it's clear, based on the feedback we've received, that other global markets are working to ensure they are compliant."

About 20 percent of those comments came from payments players in Asia-Pacific, Russo adds. "This is reflection of more people around the globe getting involved with the standard."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.