Skip to main content

2010 PCI Changes

Executive Editor

Version 2.0 of the PCI standards will be released Oct. 28, 2010, with compliance taking effect Jan. 1, 2011

Payment Card Industry (PCI) compliance is a major issue for retailers, and will continue to be in the future. In a recent study by Convenience Store News, 54 percent of responding chains reported already achieving PCI compliance this year, while 43 percent are currently in the process of becoming compliant. But inevitably, every three years new standards are released, and many retailers that were once compliant begin the updating process to remain that way. This year though, the new version doesn't present major changes, according to Bob Russo, general manager of the PCI Security Standards Council.

"This version is 2.0, and the connotation is that there will be major changes, but that isn't the case," he told CSNews in a telephone interview. Most of the changes are "clarifications" such as combining requirements 10 and 11 for the PA-DSS (Payment Application Data Security Standard), which the council found redundant.

"The standard is pretty strong at this point and is maturing so there are no major changes this time around," Russo said. "Basically we are releasing clarifications and explanations on how to comply further down the line."

Feedback is an important component of any changes made, Russo said, explaining all the changes currently released are a direct result of feedback over the last year. The formal process is part of the three-year cycle and comes from participating organizations and an assessment committee.

"More than 50 percent of the comments came from outside the U.S. because this is a global standard," Russo said. "We also have two community meetings in September and October every year, and all companies that belong to the council as a participating organization can attend."

Each company can send two people, and this year the meetings will take place in Orlando and Barcelona prior to final publication of the standard in October. To become a participating organization, there is a yearly membership fee of $2,500, and members can attend the meetings to get questions answered directly, as well as to provide valuable feedback.


The changes to be introduced in October fall into three categories: clarification, additional guidance and evolving requirement.

"One of the things we are reinforcing this year is that prior to somebody coming in and doing an assessment, or a retailer doing a self-assessment, we are endorsing the use of some sort of methodology to go out and find where all of the card data on your network would be," said Russo. "We are not endorsing any products to do it, we are just saying companies should find some sort of methodology."

Additionally, with regards to the PCI DSS, requirements 3.3 and 3.4 were clarified, and only apply to PANs, or personal account numbers. "When we say a company needs to mask or render unreadable certain identification, we are only referring to the consumer's account number," Russo explained. "People thought we were talking about all kinds of data, but we are not."

Another requirement for the PCI DSS is applying a risk-based approach for addressing vulnerabilities, ranking and prioritizing them. And changes to the PA-DSS were also addressed in the 2.0 version.

"With the application data security standard, we are aligning it more with the regular data security standard, and it too must have a centralized logging," Russo noted. "The more places somebody has to look for information, the less likely they will look for it."

For comments, please contact Tammy Mastroberte, Executive Editor, at [email protected].

This ad will auto-close in 10 seconds