PCI Security Council Releases Changes for October
WAKEFILED, Mass. -- PCI (Payment Card Industry) compliance is a major issue for retailers, and will continue to be in the future. In a recent study by Convenience Store News, 54 percent of responding chains reported already achieving PCI compliance this year, while 43 percent are currently in the process of becoming compliant. But inevitably, every three years new standards are released, and many retailers that were once compliant begin the updating process to remain that way. But this year, the new version doesn't present major changes, according to Bob Russo, general manager of the PCI Security Standards Council.
"This version is 2.0, and the connotation is that there will be major changes, but that isn't the case," he told CSNews Online in a telephone interview. Most of the changes are "clarifications" such as combining requirements 10 and 11 for the PA-DSS (Payment Application Data Security Standard), which the council found redundant.
"The standard is pretty strong at this point and is maturing, so there are no major changes this time around," Russo said in the interview. "Basically we are releasing clarifications and explanations on how to comply further down the line."
Every three years, a new ".0 version" will release (this year is 2.0), and any changes during the three year cycle will be a 2.1, 2.2 or 2.3, said Russo. This week, the Council released a summary or high-level view of the upcoming changes, due out Oct. 28, 2010. However, the deadline for compliance is Jan. 1, 2011.
"The reason we make the effective date Jan. 1, instead of October when we release it, is because merchants have told us they are on lockdown during the holidays and at the end of the year where they don't change anything," he explained.
In fact, feedback is an important component of any changes made, Russo said, explaining all the changes currently released are a direct result of feedback over the last year. The council uses a formal and informal feedback process. The formal process is part of the three-year cycle and comes from participating organizations and an assessment committee. This time, 400 different companies, including merchants, banks, processors and vendors, filled out a feedback form, and since each company has the opportunity to submit five issues, Russo told CSNews Online the feedback really amounts to more than 1,000 comments.
"More than 50 percent of the comments came from outside the U.S. because this is a global standard," Russo said. "We also have two community meetings in September and October every year, and all companies that belong to the council as a participating organization can attend."
Each company can send two people, and this year they will take place in Orlando and Barcelona prior to final publication of the standard in October. To become a participating organization, there is a yearly membership fee of $2,500, and members can attend the meetings to get questions answered directly, as well as to provide valuable feedback.
Furthermore, the council collects forensics whenever there is a security breach and takes that into account, along with feedback that Russo gets when traveling to and speaking at conferences.
An Overview of Changes
The changes to be introduced in October fall into three categories, according to the council. These include clarification, additional guidance and evolving requirement.
"One of the things we are reinforcing this year is that prior to someone coming in and doing an assessment, or a retailer doing a self-assessment, we are endorsing the use of some sort of methodology to go out and find where all of the card data on your network would be," said Russo. "We are not endorsing any products to do it, we are just saying companies should find some sort of methodology."
Additionally, with regards to the PCI DSS, requirements 3.3 and 3.4 were clarified, and only apply to PAN or personal account number. "When we say a company needs to mask or render unreadable certain identification, we are only referring to the consumers account number," Russo explained. "People thought we were talking about all kinds of data, but we are not."
Another requirement for the PCI DSS -- falling under the evolving requirement category -- is applying a risk-based approach for addressing vulnerabilities, ranking and prioritizing them. And changes to the PA DSS were also address in the 2.0 version.
"With the application data security standard, we are aligning it more with the regular data security standard, and it too must have a centralized logging," Russo noted. "The more places somebody has to look for information, the less likely they will look for it."
Looking toward the future and the hot topic of Chip and PIN or EMV, Russo said it's not something the council can determine or dictate, but if it does happen, all of the brands' compliance programs would change.
"A lot of the world is already using it," Russo noted, explaining Chip and PIN requires not only a signature but also a PIN number when purchasing with a credit card. "We put together some guidance, and this will also be released for our community meetings."
The guidance touches on Chip and PIN, tokenization and point-to-point encryptions, he said. "We will be giving guidance on those technologies and what, if anything, is already satisfied within the standards." For a full summary of the changes, you can visit the PCI Security Council Web site.