PCI standards slated for revision

The PCI SSC expects to publish final revisions to both the PCI Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) on October 28 of this year, following upcoming stakeholder community meetings in Orlando, Fla., and Barcelona.

The PCI council also expects to provide a summary of precise changes in early September.

Bob Russo, general manager of the PCI SSC, told Infosecurity that the revisions reflect accumulated feedback the council has received regarding the need for increased clarity and improved flexibility.

He also revealed that more than half of the feedback the council received since its last revision has come from stakeholders outside the US, many of whom have expressed their concern that PCI standards are too US-centric. Russo said he anticipates the PCI standards revisions will provide the type of clarity that facilitates implementation regardless of the local regulatory framework.

Perhaps most importantly, Russo confirmed the PCI standards revisions will not include fundamental changes or any new requirements. According to the PCI SSC, the alterations encompass greater clarity on PCI DSS and PA-DSS requirements, improved flexibility for merchants, and the elimination of redundant sub-requirements.

The revised PCI DSS standard will advocate for certain new detection technologies aimed at finding card data in rather obscure locations on merchants’ systems, but Russo assured the council would not endorse any specific detection products.

“We are telling people they should use whatever means they can that are readily available to find this data prior to starting an assessment”, Russo said.

The council’s GM also said some revisions to the PCI DSS would be evolutionary in nature and apply a “risk-based tolerance approach” to addressing vulnerabilities based on business-specific circumstances, a move he acknowledged may cause some friction between qualified security assessors (QSAs) and merchants. However, Russo verified that guidance documents will be provided to QSAs when the detailed summary of changes is issued in September.

The PCI SSC has issued a preliminary summary of changes document outlining all anticipated revisions to both standards. The revised standards – PCI DSS 2.0 and PA-DSS 2.0 – will go into effect on January 11, 2011, and represent the beginning of PCI’s new three-year revision lifecycle.

What’s hot on Infosecurity Magazine?