WHILE THERE WILL BE NO NEW REQUIREMENTS for retailers in the next version (2.0) of the PCI DSS (Data Security Standard) and the PA-DSS (Payment Application Data Security Standard) coming out at the end of October, there will be some updates, clarification and guidance. To wit:
-
Scoping. “We're encouraging you to do a thorough scoping exercise to find where cardholder data is in your network prior to an assessment,” said Bob Russo, general manager of PCI Security Standards Council, Wakefield, Mass., which manages the PCI DSS and PA-DSS standards, along with the PIN Transaction Security (PTS) requirements. “We're doing this because we hear people are finding data in places they had no idea it could be - such as the HR department.”
-
Logging. In addition to keeping a centralized log for card data activity, the Council is advising retailers to use a centralized log for payment applications. In general, there will be a greater alignment between the PCI DSS and the PA-DSS.
-
Assessing risk. Retailers will be given greater latitude to address vulnerabilities based on an assessment of risk.
A more detailed description of the changes in the new standards was slated to be released by the Council as of early September. The Council will be holding a U.S. meeting on the new standards in Orlando, Fla., Sept. 21-23. The standards will then be issued on Oct. 28 and become mandatory on Jan. 1. All three standards under the Council's management now follow a three-year development lifecycle.
While the PCI standard has come in for its share of criticism, some observers believe it offers a good security foundation. “It's an urban myth that PCI is just a checkbox,” said Ravi Bagal, vice president and global managing director, retail and distribution, Verizon Business, Basking Ridge, N.J. “Seventy percent of retailers that experience breaches did not complete PCI compliance.”