PCI DSS Clarifications ComingCouncil Will Offer Compliance Insights
The PCI Security Standards Council next week will provide clarifications about how merchants, acquirers and others should comply with the PCI Data Security Standard. But the council won't formally update the standards until next year.
The council recently solicited feedback about PCI-DSS compliance challenges. "We found that the industry wanted more specific information about things like updates to password requirements and how those updates will help to enhance security," says Bob Russo, general manager of the council.
"They wanted clarification about testing procedures and how to get adequate coverage," he adds. And most asked for more details about sufficient PCI testing procedures, ongoing compliance and determining what is in-scope - identifying which parts of the environment have to comply with PCI, he adds.
The council will provide compliance clarifications at its bi-annual North American Community Meeting in Orlando, Fla., which runs Sept. 12 through 14. The council will address version 2.0 of the PCI Data Security Standard and the Payment Application Data Security Standard.
A summary of the feedback on compliance issues is available on the PCI SSC's website. A more detailed list of the comments and questions will be provided to meeting registrants.
Russo says many PCI-DSS clarification requests related to encryption standards and key management. "No one had any problems with the standard," he adds. "They just want to know how they can get the most out of it."
And clarifying those points is critical, Russo says, in light of recent breach incidents.
In the wake of POS attacks at merchant locations throughout the United States, from the Michaels craft store chain to Subway and Penn Station, the PCI Council is taking PCI compliance education seriously.
Last month, the council took a direct step to address merchant vulnerabilities through the launch of a new training and certification program aimed at the third-party POS device installers and systems integrators. The new Qualified Integrators and Resellers Program was created in response to those recent attacks, which, in many cases, could have been prevented if PCI precautions had been followed, Russo says.
Russo says PCI compliance and testing hinge on having the right integrators and security assessors in place.
Compliance: A Global Standard
Russo also points out that more than half of the compliance comments received came from organizations outside the United States, which illustrates how interest in the standard is spreading globally.
"For so long, many people looked at PCI-DSS and kept thinking of it as just a U.S. standard," he says. "But this is a global standard, and it's clear, based on the feedback we've received, that other global markets are working to ensure they are compliant."
About 20 percent of those comments came from payments players in Asia-Pacific, Russo adds. "This is reflection of more people around the globe getting involved with the standard."