A standard for payment security
A standard for payment security
Over the past two years, the PCI Security Standards Council (PCI SSC) solicited feedback on the underlying requirements of the previous standard from key stakeholders in order to develop version 1.2 to better address new security threats, technology advancement and implementation realities. PCI DSS v1.2 meets that objective by providing additional clarifications and explanations of the requirements that help ensure merchants and service providers have a sensible, proven and achievable pathway to protect cardholder account data and adequately comply with the standard.

While version 1.2 does not introduce any new requirements, it is designed to fulfill the following: provide greater clarity on PCI DSS requirements; offer improved flexibility; manage any evolving risks and threats; incorporate existing and new best practices; clarify scoping and reporting; eliminate redundant sub-requirements; and consolidate documentation.

These updates incorporate information security best practices that are proven to be effective at securing the payment process. And, when combined with the additional data security standards and tools added by the council within the last year, these revisions will help businesses better understand and develop security-centric practices that protect payment data and prevent payment card fraud.

The council has implemented a 24-month life cycle review and change process. This means that that the PCI DSS will be refreshed every 24 months to provide clarity and flexibility and to address evolving data security threats/vulnerabilities as they emerge. This also will provide ample lead time for organizations to make any needed changes to their security practices.

As a result, the council will be releasing further updates to the standard again in another two years. In addition, we will continue to improve the data security education process, which not only will increase compliance, but also serve to decrease data breaches.

It's important to note that the high-profile data breaches of 2008 are more the exception than the rule. While there are still those that remain out of compliance and at risk of a breach, there is an even more profound increase in organizations that are compliant and are adopting the DSS and the tools introduced by the council.

We are proud of the new standards the council introduced this year and the tremendous increase in adoption, but we are even more pleased to see the influence they are having on the information security strategies and practices of enterprises across the globe.