How you are changing the PCI standards in 2010

Share this article:
Bruce Rutherford
Bruce Rutherford

Businesses that accept payment cards understand they need to make safeguarding customer data a top priority, says Bruce Rutherford, chairman, PCI Security Standards Council.

Now more than ever, businesses that accept payment cards understand they need to make safeguarding customer data a top priority. As costs associated with data compromise events continue to rise, businesses with robust compliance programs quickly realize that these efforts help protect both their bottom lines and preserve their well-earned reputations. Therefore, it is crucial that businesses of all sizes continue to improve the way they safeguard sensitive information. We understand that mission-critical need and it is the reason the Council employs the Standards Lifecycle Process to help facilitate data security in a simple and effective manner.  

To encourage comprehensive data protection efforts in the marketplace, the next version of our standards will continue to help organizations identify the most effective way to establish simplified and clear security foundations while also achieving high compliance levels.

Earlier this year, we released the newest version of the PIN Transaction Security (PTS) Standard to make it easier for device vendors and their customers to secure sensitive card data at the point of interaction. The PTS Standard establishes security evaluation and testing protocols for the hardware involved in swiping credit card transactions, including POS and unattended payment terminals that are commonly located at gas stations and airport check-in areas.

As part of the lifecycle and feedback review process, the Council will also issue new versions of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS) this year based on data security suggestions and feedback from a wide range of organizations. The revisions to these standards will take into consideration clarifications, market insights and new and emerging threats. Through these changes, we hope to reinforce the need for addressing enterprise security not just through secure technology, but also through the people and processes required to establish and maintain a secure environment.

In addition to the release of the updated PTS Standard, the Council recently introduced the Internal Security Assessor (ISA) program, the newest training offered through the Council.  

Launched this spring, this initiative recognizes the integral nature of internal assessors and the important role they play in  building ongoing and vital security processes for their organizations. This certification program, initiated and facilitated by the Council, trains select individuals on the basics of implementing an ongoing security discipline, and works to remove the “check the box” mentality that can sometimes arise with compliance programs. The ISA program benefits include: an opportunity for internal auditors to learn the same techniques taught to QSAs; the chance for merchants to verify their internal staff have a common understanding of the PCI DSS requirements; the ability for merchants to hear the intent of the requirements directly from the Council; and a
 potential reduction in compliance cost by teaching ISAs to develop security strategies before and beyond the annual PCI DSS validation

The first formal ISA training sessions were held in Australia in May. The next sessions are scheduled for August, September and October in conjunction with the PCI Community Meetings.  If you would like more information on this program, please visit the Council's website.

Finally, I'd like to outline what we have planned for the rest of the year, and how you can stay involved in the evolution of the standards.

A summary of the changes to both the PCI DSS and PA DSS will be published this summer. Our Participating Organizations (PO) will then have the opportunity to initially review these changes.

After the POs review the initial changes, we will make new revisions and begin completing the updates in advance of a final review process with the Council's elected Board of Advisors. The new standards will then be presented at the Community Meetings in Orlando and Barcelona. The U.S. Community Meeting will be held September 21-23; the European Community Meeting will be conducted October 18-20. Registration is already open for POs and details are available on the Council's website.

If you are a PO, please plan on attending the meetings for your final opportunity to provide the Council with feedback on these new updates.

The newest versions of both the PCI DSS and PA DSS will be released to the public. In the interest of clarity, we will provide them in plenty of time to implement any new requirements.  That includes phased-implementation dates to give you time to sunset old practices and introduce new ones.

We've tried to undertake this massive project with a great degree of transparency and have consistently reached out to those involved in the payment chain to ensure that there are no “surprises” once the new standards are issued. The anticipated changes will simply provide additional guidance, clarification or evolve a particular existing requirement.

With your support and the help of key stakeholders focused on payment card security, we can accomplish these objectives and usher in an era of increasing adoption and security with these new standards. As always, our goal is to keep you informed throughout this entire process. If at any time, you need additional information from the PCI Security Standards Council, please visit our site for the most up to date information, access to our searchable archive of FAQ guidance, useful support materials, and the ability to post a question directly to our Technical Working Group.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Opinions

An IT lens on data breach response

An IT lens on data breach response

This heightened awareness regarding data breach response time has created an interesting dynamic for security professionals.

Ensuring your developers love - or at least don't hate - security

Ensuring your developers love - or at least ...

The relationship between development and security doesn't need to be hostile, and there are ways to engage developers more with security.

Backing diversity lowers the bar?

Backing diversity lowers the bar?

Many groups have striven to cultivate a more welcoming workplace, says Alison Gianotto.