PCI Council unveils expected changes for DSS guidelines
The PCI Security Standards Council this week unveiled a summary of changes expected to appear in the upcoming release of a new version of its payment security guidelines.
Merchants and assessors should not expect any major revisions when version 2.0 of Payment Card Industry Data Security Standard (PCI DSS) is published Oct. 28, said Bob Russo, general manager of the PCI Council.
The five-year-old standard, which now will receive a refresh every three years instead of two, is expected to provide more clarification in certain areas, Russo told SCMagazineUS.com this week. The updates were based on "400 pieces of feedback" from the council's participating organizations.
"I think the nature of the changes is really a testament of the strength of the standard and that the standard is maturing at this point," Russo said.
Specifically, the new version will reinforce the need for retailers to conduct scoping exercises to locate all sensitive data prior to undergoing an annual assessment, Russo said. There are many low-cost discovery tools available that can be used to find cardholder information, which often lies in "obscure places in the network," he said.
In addition, the updated standard will detail a more risk-based approach for assessing vulnerabilities, Russo said. That means merchants can consider their own business circumstances when evaluating and prioritizing flaws in their networks.
Yet the biggest news from the changes may be what they did not contain. The standards are not scheduled to include any specific references to emerging technologies to protect cardholder data, such as tokenization, chip-and-PIN and end-to-end encryption.
"I think the reaction to what's missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet," Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Friday. "A lot of fundamental questions are still unanswered."
Russo said the council has created a number of special interest groups to study these areas, and they are on track to release guidance for chip-and-PIN by the beginning of September, end-to-end encryption by the end of September, and tokenization by the end of October.
Those technologies are receiving a lot of attention because they help reduce the scope of what merchants must comply with, Litan said.
"Clients will call in and say, 'What does tokenization get us in terms of PCI compliance?'" Litan said. "And you can never give them a clear answer because it's not addressed in the requirements."
Guidance on virtualization, another hot technology because of the cost savings and efficiency it presents, may be released by the end of the year, Russo said.
"There's more questions than answers," Litan said of the updates. "On the other hand, it looks pretty mild. What most people worry about is if it's going to be a lot more work."
Meanwhile, version 2.0 of the Payment Application Data Security Standard (PA DSS) also will be released in October. That standard lays out 14 requirements for software developers who build programs that process credit card payments.
Changes include support for centralized logging and better alignment with PCI DSS.