PCI Council unveils expected changes for DSS guidelines

Share this article:

The PCI Security Standards Council this week unveiled a summary of changes expected to appear in the upcoming release of a new version of its payment security guidelines.

Merchants and assessors should not expect any major revisions when version 2.0 of Payment Card Industry Data Security Standard (PCI DSS) is published Oct. 28, said Bob Russo, general manager of the PCI Council.

The five-year-old standard, which now will receive a refresh every three years instead of two, is expected to provide more clarification in certain areas, Russo told SCMagazineUS.com this week. The updates were based on "400 pieces of feedback" from the council's participating organizations.

"I think the nature of the changes is really a testament of the strength of the standard and that the standard is maturing at this point," Russo said. 

Specifically, the new version will reinforce the need for retailers to conduct scoping exercises to locate all sensitive data prior to undergoing an annual assessment, Russo said. There are many low-cost discovery tools available that can be used to find cardholder information, which often lies in "obscure places in the network," he said.

In addition, the updated standard will detail a more risk-based approach for assessing vulnerabilities, Russo said. That means merchants can consider their own business circumstances when evaluating and prioritizing flaws in their networks.

Yet the biggest news from the changes may be what they did not contain. The standards are not scheduled to include any specific references to emerging technologies to protect cardholder data, such as tokenization, chip-and-PIN and end-to-end encryption.

"I think the reaction to what's missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet," Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Friday. "A lot of fundamental questions are still unanswered."

Russo said the council has created a number of special interest groups to study these areas, and they are on track to release guidance for chip-and-PIN by the beginning of September, end-to-end encryption by the end of September, and tokenization by the end of October.

Those technologies are receiving a lot of attention because they help reduce the scope of what merchants must comply with, Litan said.

"Clients will call in and say, 'What does tokenization get us in terms of PCI compliance?'" Litan said. "And you can never give them a clear answer because it's not addressed in the requirements."

Guidance on virtualization, another hot technology because of the cost savings and efficiency it presents, may be released by the end of the year, Russo said.

"There's more questions than answers," Litan said of the updates. "On the other hand, it looks pretty mild. What most people worry about is if it's going to be a lot more work."

Meanwhile, version 2.0 of the Payment Application Data Security Standard (PA DSS) also will be released in October. That standard lays out 14 requirements for software developers who build programs that process credit card payments.

Changes include support for centralized logging and better alignment with PCI DSS.

Share this article:

Sign up to our newsletters

More in News

Community Health Systems faces lawsuit related to data breach

The suit claims the hospital operator failed to meet security standards to protect the personal information belonging to patients.

Norwegian oil companies targeted in string of attacks

More than 300 companies are being warned to check their systems after at least 50 oil companies confirmed that their systems were attacked.

Possible payment card breach at Dairy Queen stores

Several financial institutions are reporting payment card fraud activity on credit and debit cards used at various Dairy Queen stores around the country, according to Brian Krebs.