The Green Sheet Online Edition
November 22, 2010 • Issue 10:11:02
PCI 2.0 refines, clarifies compliance process
The PCI Security Standards Council (PCI SSC) released version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS on Oct. 28, 2010. The council said the updates are primarily meant to help clarify existing standards and assist with their implementation.
PCI DSS 2.0 arrives in the wake of PCI SSC annual meetings in Orlando, Fla. (Sept. 23 to 25), and Barcelona, Spain (Oct. 18 to 20), where more than 1,500 people from 600 organizations participated in discussions that were largely designed to help craft the new standards, according to the PCI SSC's website. Among the participants were merchants, banks and processors, along with members of the council.
PCI DSS 2.0 goes into effect Jan. 1, 2011, although merchants aren't required to become fully compliant with the new standards until Dec. 31, 2011.
Some of the new requirements include more explicit instructions for issuers and processors regarding the storage of sensitive authentication data, changes regarding the prioritization of different security vulnerabilities, and a provision for logging different data streams in a centralized place to simplify tracking.
"Many merchants have many logs associated with many different systems," said Jeremy King, European Director for the PCI SSC. "What we're saying is try to create a centralized logging process.
"Instead of having many different logs, just have one centralized process. .... These things can help you identify critical issues when they occur."
Easing the process
Some changes are intended to make the standards easier to manage and speedier to implement. A few eliminate redundancies (by, for example, combining requirements 10 and 11, which relate to remote access of payment data), while others clarify certain passages that have caused confusion.
Another noteworthy change relates to future updates to the PCI DSS, which will now be released every three years, rather than every two. "We've gotten a lot of feedback from people saying two years is just too short a time frame; you know, by the time we've understood the requirements, it already needs to be changed again," King said. "We've listened to that and we've changed it."
King said the updates will also facilitate implementation of the PCI DSS by doing more to tailor certain requirements to different types of merchants, rather than having them apply a uniform standard.
"The final ruling within this set is to say to the merchant, 'You really need to take a more risk-based approach to your processes and your environment,'" he said, adding that analyzing factors like whether a merchant is brick-and-mortar, e-commerce and/or MO/TO, for example, will help merchants understand where cardholder data is going to be in their systems.
"And from that you can match your security appropriately and thereby meet the requirements," he said. "This is an improvement. Instead of, in the past, 'You must, you must, you must,' it's now 'do this risk-based approach and then match your security to it.' And that's going to be a significant improvement to make life easy for the merchants and let them focus on key areas."
King said the PCI 2.0 updates target smaller merchants, especially, adding that the PCI SSC has added a new section to its website that's entirely dedicated to helping small merchants implement a good security framework. For further information on small-merchant PCI compliance issues, go to www.pcisecuritystandards.org/smb.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.