Under the changes to the PCI-DSS and PA-DSS that take effect Jan. 1, 2011, organizations are advised to conduct a “scoping” exercise to determine where cardholder data is located, institute more effective log management in securing cardholder data, and adopt a risk-based approach when addressing vulnerabilities.
The lifecycle of the PCI council's standards will be extended from the current two years to three years to give merchants more time to implement them. In addition, greater flexibility has been introduced for small merchants to enable them to comply with the standards, including the establishment of a microsite with information specifically targeted to them.
Version 1.2 of PCI-DSS and PA-DSS will be retired on Dec. 31, 2010, giving organizations who have not fully implemented version 1.2 time to complete the process, said Jeremy King, PCI’s European regional director.
King told Infosecurity that one of the key things the PCI Council wants merchants to do is determine where their data is stored. “Quite often, merchants aren’t aware that their systems are taking cardholder data and using it in a different way….By undertaking a thorough exercise, the merchants should be able to identify where they have data in their system and how it is going through their processes. Once you [as a merchant] understand that, you are in a better position to protect the data and use the standards to help you introduce good firewall practices and institute good data security practices.”
Once merchants have identified where the data is located, the PCI Council is recommending that they take a risk-based approach to address vulnerabilities. “We are saying to merchants: identify where your data is and identify how you are interacting with cardholders. They need to understand: Are they doing face-to-face transactions, do they do e-commerce transactions, or do they take mail order or telephone orders? Where is the data flowing and what are the risks you need to be addressing?”, he said.
The council is also recommending that merchants establish more centralized logging systems so that breaches can be detected in a timely manner. “The quicker you can identify that something strange is happening, the quicker you can shut it off; you can then reduce the chances of cardholder data being compromised”, King said.
The standards also are designed to make the process simpler for smaller merchants. “We have made it easier for them to complete our self-assessment questionnaire” by reducing the number of questions and tailoring the remaining questions for them, he explained.
The PCI Council is also developing security guidelines on emerging technologies, such as virtualization and cloud computing. The current guidelines for virtualization include a recommendation that the merchant maintain only one primary function per virtual server. “Virtualization goes well beyond virtual servers….[We are] looking into a wider range of virtualization, including cloud computing”, King said. The emerging technologies guidance is expected to be ready next year.
Another new area the PCI Coucil is looking into is point-to-point encryption. The organization released guidance on that technology earlier in October. The guideline simplifies the approval process for point-to-point encryption. “The devil is in the details. There is a lot of detail in how the point-to-point encryption process works,” he said. An updated guidance, which will include criteria to validate performance of point-to-point encryption technology, is due out next year.
In addition, the council expects to have security guidance for tokenization ready in December. Tokenization takes a card number and turns it into a surrogate value that represents the card number, but with no ability to determine the number from the surrogate value.
Commenting on the tokenization guidance, Ulf Mattson, chief technology officer at Protegrity and member of the PCI Council’s working group on tokenization, said:
“There is a particularly strong need for the PCI Security Standards Council to provide guidance on how tokenization of cardholder data can reduce the size of the cardholder data environment [CDE] and outline acceptable tokenization architectures for implementations and operations. This is important because the CDE is that part of the network that possesses cardholder data or sensitive authentication data. Like many others, I expect the document to somewhat mirror the tokenization best practices document that Visa released in July, which will be a good framework for the industry to build on.”
PCI plans to hold a series of webinars on the updated standards in November. Information about participating can be obtained from the PCI Council’s website.