The Green Sheet Online Edition
July 12, 2010 • Issue 10:07:01
Security standards lifecycle extended
Based largely on input from member organizations, the PCI Security Standards Council (PCI SSC) lengthened the evaluation and update process of its data security standards from two years to three. The council also streamlined the development, review and compliance phases of the standards by aligning them on a common timetable.
The new versions of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS are to be released in October 2010, joining the PIN Transaction Security (PTS) DSS, which was released in June 2010. This October is when the three standards will begin to follow the same three-year calendar.
The new three-year lifecycle consists of eight stages. Each lifecycle begins at stage one (starting in October) when the PCI SSC publishes new versions of the standards. The second stage is a yearlong member feedback and review period, which enables businesses to evaluate the new versions. At stage three, businesses can prepare to implement the new standards until the January immediately following the standards' publication, at which time they are expected to begin implementing them.
Stage four is another feedback and review period during the lifecycle's second year. Stage five commences on Dec. 31 of year two, at which time the old versions of the standards are officially retired, and all compliance efforts are focused on meeting the requirements of the new versions.
Stages six through eight occur during year three. These entail the council taking into account member feedback and market dynamics as it makes changes to create the next versions of the standards to be published that October. Then the three-year lifecycle with the updated standards begins anew.
Change for the good
PCI SSC General Manager Bob Russo considers the changes to be a "win-win" for everyone involved: merchants, payments industry businesses and the council. Russo boiled down the benefits to giving all constituencies more time to familiarize themselves with the new versions and implement them in addition to providing the PCI SSC more time to digest feedback from its members about how the new versions are working.
Russo noted that the additional year allows for two community meetings (held in either September or October) to take place in the three-year time frame as opposed to only one meeting in the two-year lifecycle. The extra community meeting means more opportunities for feedback and education, he said.
Another improvement is the extra time built into the calendar for merchants and others to comply with the standards, according to Russo. In the old lifecycle, new versions of the standards became effective immediately upon publication in October, which put a burden on merchants who make the majority of their revenue during the holiday season.
"From the end of October to the beginning of January, these guys are on lockdown," Russo said.
"They're not going to be making any changes to anything. They're not going to be looking at anything. They just want to make their money."
Now, businesses have over two months after new versions are announced (in October) to become familiar with the standards before they need to start implementing them (the following January). And businesses have a full year after that Jan. 1 date to gain compliance with the new versions.
"It's a pretty transparent process," Russo said. "At the time we get to the end of this three-year period, there really won't be many surprises whatsoever. These guys will have a real good idea of what is coming and what is to be expected of them, and they'll know what they'll have to do to comply with it."
A cautionary note
But surprises are what give data security experts nightmares. And that gives pause to Dr. Tim Cranny, Chief Executive Officer at Panoptic Security Inc. "I can absolutely understand why they slowed down the cycle," he said. "But the other side of the coin is security and security problems evolve very quickly and that world moves very quickly. You can't just decide you're going to move at half speed without paying a price.
"It was always clear to me that merchants and people subject to PCI would want the world to slow down," he said. "And the thing that is pushing back is the reality of the hard, fast-paced world."
Cranny is concerned that organizations may interpret the extra year in the standards' lifecycle to mean they can relax about data security. "The underlying reality of PCI always is that it's not something that the merchants want to do," he said. "At most they see it as a grim necessity. And the council will certainly need to sort of manage expectations and say this is not a lowering of the bar; this is not telling you to go to sleep for an extra year."
Clarity of communication is therefore critical going forward, Cranny added. "If the council can communicate this in a clear way and stop it from getting over complicated, then it can be an advantage," he said. "But the danger is that people go to sleep or ignore the fundamentals or the rapid stuff rather than dealing with both." A webinar detailing the PCI lifecycle changes can be downloaded from the PCI SSC website at www.pcisecuritystandards.org/education/webinars.shtml.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.