GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The patent quest


Industry Update

Studies point to shifting consumer card use

PCI 2.0 refines, clarifies compliance process

Global payments remain strong

Upward surge continues in electronic payments

Trade Association News

Selling Prepaid

Prepaid in brief

Innovation in prepaid

David Parker
Polymath Consulting Ltd.

The low-fee future for prepaid


A look at this season's payment data

Patti Murphy
The Takoma Group


Street SmartsSM:
Counterparty risk: Keeping the discussion alive

Ken Musante
Eureka Payments LLC

Establishing your online identity

Nicholas Cucci
Network Merchants Inc.

Marketing with credibility and impact

Daniel Wadleigh
Marketing Consultant

Contactless taps new markets

Dale S. Laszig
Castles Technology Co. Ltd.

Company Profile

Impact Payments Recruiting

New Products

Real-time RDC

Deposit 24/7 remote deposit capture suite
Wausau Financial Systems Inc.


It's more than a numbers game


How much will consumers spend this holiday season?



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 22, 2010  •  Issue 10:11:02

previous next

PCI 2.0 refines, clarifies compliance process

The PCI Security Standards Council (PCI SSC) released version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS on Oct. 28, 2010. The council said the updates are primarily meant to help clarify existing standards and assist with their implementation.

PCI DSS 2.0 arrives in the wake of PCI SSC annual meetings in Orlando, Fla. (Sept. 23 to 25), and Barcelona, Spain (Oct. 18 to 20), where more than 1,500 people from 600 organizations participated in discussions that were largely designed to help craft the new standards, according to the PCI SSC's website. Among the participants were merchants, banks and processors, along with members of the council.

PCI DSS 2.0 goes into effect Jan. 1, 2011, although merchants aren't required to become fully compliant with the new standards until Dec. 31, 2011.

Some of the new requirements include more explicit instructions for issuers and processors regarding the storage of sensitive authentication data, changes regarding the prioritization of different security vulnerabilities, and a provision for logging different data streams in a centralized place to simplify tracking.

"Many merchants have many logs associated with many different systems," said Jeremy King, European Director for the PCI SSC. "What we're saying is try to create a centralized logging process.

"Instead of having many different logs, just have one centralized process. .... These things can help you identify critical issues when they occur."

Easing the process

Some changes are intended to make the standards easier to manage and speedier to implement. A few eliminate redundancies (by, for example, combining requirements 10 and 11, which relate to remote access of payment data), while others clarify certain passages that have caused confusion.

Another noteworthy change relates to future updates to the PCI DSS, which will now be released every three years, rather than every two. "We've gotten a lot of feedback from people saying two years is just too short a time frame; you know, by the time we've understood the requirements, it already needs to be changed again," King said. "We've listened to that and we've changed it."

King said the updates will also facilitate implementation of the PCI DSS by doing more to tailor certain requirements to different types of merchants, rather than having them apply a uniform standard.

"The final ruling within this set is to say to the merchant, 'You really need to take a more risk-based approach to your processes and your environment,'" he said, adding that analyzing factors like whether a merchant is brick-and-mortar, e-commerce and/or MO/TO, for example, will help merchants understand where cardholder data is going to be in their systems.

"And from that you can match your security appropriately and thereby meet the requirements," he said. "This is an improvement. Instead of, in the past, 'You must, you must, you must,' it's now 'do this risk-based approach and then match your security to it.' And that's going to be a significant improvement to make life easy for the merchants and let them focus on key areas."

King said the PCI 2.0 updates target smaller merchants, especially, adding that the PCI SSC has added a new section to its website that's entirely dedicated to helping small merchants implement a good security framework. For further information on small-merchant PCI compliance issues, go to

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios