GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The United States of microfinance

Patti Murphy
The Takoma Group


Industry Update

FDIC to seek public input on financial reform rules

Are thermal paper receipts toxic?

PCI SSC summarizes changes to upcoming standards


Research Rundown

Breaches across America
Installment three

Selling Prepaid

Prepaid in brief

Getting started in prepaid

Barry J. Kessler

King of the 'plastic' jungle


The Dodd-Frank Act: What it might mean for issuers and acquirers

Mark Brady and Ross Federgreen
CSRSI, The Payment Advisors

Respect yourself, elevate our profession: Quit selling on price

Jeffrey Shavitz
Charge Card Systems Inc.

Patent, patent, who's got a patent?

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Riding the merchant chargeback learning curve

Ken Musante
Eureka Payments LLC

Use three basic desires to your marketing advantage

Daniel Wadleigh
Marketing Consultant

Assignment provisions in ISO and agent agreements

Adam Atlas
Attorney at Law

Social media and the MWAA

Peggy Bekavac Olson
Strategic Marketing

A primer on PCI scans

Tim Cranny
Panoptic Security Inc.

Considering consequences improves results

Jeff Fortney
Clearent LLC

Company Profile

SignatureLink Inc.

New Products

Data management for ISOs, merchants

Nucleus Platform


Organize your life for peace of mind


2010 Calendar of events



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 13, 2010  •  Issue 10:09:01

previous next

PCI SSC summarizes changes to upcoming standards

In advance of the October 2010 release of the updated security standards that govern how merchants and payments businesses safeguard sensitive cardholder data, the PCI Security Standards Council (PCI SSC) disclosed a summary of changes it intends to make to the standards.

The council said that, while version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and the Payment Application (PA) DSS do not introduce new requirements, they reflect changes concerning updates, clarifications and guidance. According to Bob Russo, General Manager of the PCI SSC, chief among the changes are:


When organizations prepare for PCI assessments, they determine what parts of their networks are "in scope" for the assessment process. But determining that scope is apparently not so cut and dried.

According to Russo, the council received a "ton of feedback" from participating organizations, as well as its own advisory board, that level 1, global merchants are "finding cardholder data in places in their networks where they had no idea it could ever be."

The updated PCI DSS gives guidance on what data loss prevention tools might be useful in locating forgotten or misplaced cardholder data in networks, Russo said. It is important to pinpoint all places where that data is stored before engaging qualified security assessors (QSAs) to perform assessments, he added.

James Paul, Senior Vice President, Delivery, at Trustwave, said it is problematic when QSAs find sensitive data that is "out of scope" of the assessment when they are conducting an assessment. "If you get the scope wrong, the assessment itself is somewhat invalid," he said.

Security experts have a term for this problem - "scope creep," Paul said. If a merchant forgot about a data center that contained cardholder data, "all of a sudden the QSA says we can't ignore that," he said.

"It's part of the environment. We have to go visit that site and potentially have to apply the sector requirements to systems in that site."

Centralized logging

Centralized logging is already included in the PCI DSS. Russo said the addition of centralized logging to the PA DSS is important because it is more likely companies will monitor the "events" that occur on their systems if event details are recorded at one location. "If your staff has got to go look in more than one place, chances are they're not going to go look for it," he said.

Paul likened centralized logging to giving information technology professionals a dashboard view of what is occurring on networks.

For example, if a USB device is plugged into a POS terminal to download malware into that terminal, that event is registered in the log, he said. And if a compromise should occur, centralized logging gives investigation teams a "breadcrumb trail for them to follow to help them determine the nature of the breach and the extent of the breach," he added.

Greater risk profile flexibility

Russo said the council received strong feedback that organizations wanted more flexibility in how they assess their systems from a risk perspective. A business might recognize a security vulnerability exists, but the risk of it resulting in a data breach is so low that they want to be able to put that vulnerability aside for now and focus on making more important aspects of systems PCI compliant, he said.

Paul sees this change to the standard as recognition that merchants have different risk tolerance levels. But he is concerned about who defines a business' risk tolerance. "Right now it looks as though [merchants will] be able to define that risk," he said. "I'm concerned a little bit about a situation where I, as the QSA, may feel a risk as a higher priority than, say, a client does and how that gets resolved."

Language clarification

Russo said the PCI SSC also attempted to clarify certain language in the standards, for example, the exact meaning of masking and rendering the primary account number unreadable or how to ensure organizations use strong passwords. The council targeted language in the standards based on feedback from PCI participating organizations, Russo said.

"Certainly there are times when the language in the standard can be read one way by one person and another way by another person," Paul said. "By and large I think most of those have been addressed through questions to the council or through the SAQ [self assessment questionnaire] which is available on the council's website."

A global standard

In the feedback period the PCI SSC sets aside to give participating organizations a chance to communicate their thoughts and concerns about the standard, the council received 400 detailed responses, Russo said.

During that feedback phase, 54 percent of comments came from outside the United States. "Now we're getting global uptake," Russo said. "This is a global problem; we need to make sure that we're getting participation from every corner of the globe. And we are."

Version 2.0 of the PCI DSS and the PA DSS will be disclosed in September with a more in-depth summary of changes, giving participating organizations time to digest the updated standards before their release on Oct. 28.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios