PCI Updates UnveiledNo New Requirements Proposed in Version 2.0 of Security Standard
This is the headline news from the PCI Security Standards Council, which has just released a summary of the expected changes to PCI DSS and the Payment Application Data Security Standard.
A more detailed summary of the proposed versions 2.0 of PCI DSS and PA DSS will be released in September, prior to the council's community meetings. The final version of the amended standards is expected to be released on Oct. 28, then go into effect on Jan. 11, 2011.
"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," says Bob Russo, general manager of the council. "With the changes to the PCI DSS and PA DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."
Summary of ChangesThere are 12 proposed changes in versions 2.0 of the standards. The changes fall into three main categories:
- Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
- Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
- Evolving Requirement: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.
Key updates include:
- Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides;
- Support for centralized logging included in PA DSS to promote more effective log management;
- Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities;
- Greater alignment between PCI DSS and PA DSS to facilitate stronger security practices.
This summary of changes comes after the announcement in June that the council is moving all three of its standards to follow a three-year development lifecycle period, starting with the release of updated versions of the PCI DSS and PA DSS in October of 2010. A consistent, transparent lifecycle for all council-managed standards is intended to simplify the implementation process for the entire payment industry.
What's Missing, What's NextTokenization and encryption - two of the technologies most frequently referenced by critics of PCI - did not make it into the new versions. "There will be additional guidance coming later in the year, so at the community meeting as well as after the community meeting, we will be issuing guidance on CHIP, point-to-point encryption and tokenization," Russo says. "We'll be letting people know that if they are using one of these layered security technologies, this is how it lines up with the standard."
A more detailed summary of changes and pre-release versions of the revised standards will be released in early September, before the community meetings in Orlando, FL, on September 21-23, and Barcelona, Spain in October 18-20.
"If, in fact there are any 'aha' moments that we get at these community meetings," Russo says, "We still have the ability to make some adjustments and tweaks to the standard."
The final 2.0 versions will be released on October 28. Then these standards are scheduled to go into effect after the Christmas holiday season, starting January 11, 2011.