PCI Council Unveils Expected Changes for DSS Guidelines



User avatar


Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 17, 2010 8:57 am

PCI Council Unveils Expected Changes for DSS Guidelines

By Dan Kaplan of SC Magazine on August 13, 2010:

The PCI Security Standards Council this week unveiled a summary of changes expected to appear in the upcoming release of a new version of its payment security guidelines.

Merchants and assessors should not expect any major revisions when version 2.0 of Payment Card Industry Data Security Standard (PCI DSS) is published Oct. 28, said Bob Russo, general manager of the PCI Council.

The five-year-old standard, which now will receive a refresh every three years instead of two, is expected to provide more clarification in certain areas, Russo told SCMagazineUS.com this week. The updates were based on "400 pieces of feedback" from the council's participating organizations.

"I think the nature of the changes is really a testament of the strength of the standard and that the standard is maturing at this point," Russo said.

Specifically, the new version will reinforce the need for retailers to conduct scoping exercises to locate all sensitive data prior to undergoing an annual assessment, Russo said. There are many low-cost discovery tools available that can be used to find cardholder information, which often lies in "obscure places in the network," he said.

In addition, the updated standard will detail a more risk-based approach for assessing vulnerabilities, Russo said. That means merchants can consider their own business circumstances when evaluating and prioritizing flaws in their networks.

Yet the biggest news from the changes may be what they did not contain. The standards are not scheduled to include any specific references to emerging technologies to protect cardholder data, such as tokenization, chip-and-PIN and end-to-end encryption.

"I think the reaction to what's missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet," Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Friday. "A lot of fundamental questions are still unanswered."

Russo said the council has created a number of special interest groups to study these areas, and they are on track to release guidance for chip-and-PIN by the beginning of September, end-to-end encryption by the end of September, and tokenization by the end of October.

Those technologies are receiving a lot of attention because they help reduce the scope of what merchants must comply with, Litan said.

"Clients will call in and say, 'What does tokenization get us in terms of PCI compliance?'" Litan said. "And you can never give them a clear answer because it's not addressed in the requirements."

Guidance on virtualization, another hot technology because of the cost savings and efficiency it presents, may be released by the end of the year, Russo said.

"There's more questions than answers," Litan said of the updates. "On the other hand, it looks pretty mild. What most people worry about is if it's going to be a lot more work."

Meanwhile, version 2.0 of the Payment Application Data Security Standard (PA DSS) also will be released in October. That standard lays out 14 requirements for software developers who build programs that process credit card payments.

Changes include support for centralized logging and better alignment with PCI DSS.

Original article and other PCI related articles can be found here:
http://www.scmagazineus.com/pci-council ... le/176889/



User avatar

Sr. Member
Sr. Member

Posts: 379

Joined: Tue Dec 30, 2008 1:53 pm

Post Tue Aug 17, 2010 9:34 am

Re: PCI Council Unveils Expected Changes for DSS Guidelines

Thanks for the heads-up, Don. I am unfortunately trying to get management's ear about the updated PCI requirements..

eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+


User avatar

Hero Member
Hero Member

Posts: 1718

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 17, 2010 11:00 am

Re: PCI Council Unveils Expected Changes for DSS Guidelines

I'd fully agree with their concern about the 'what is missing', although, as a pentester, that's just one more thing I guess I'll go after, as I show them where they're lacking...  Job security, I guess...?  ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer,
but what none can see is the strategy out of which victory is evolved."
- Sun Tzu, 'The Art of War'

OSCE, OSCP (Former - GPEN, C|EH - both expiring / expired)

Return to Compliance, Regulations &amp; Standards

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software