WAKEFIELD, Mass. -- The PCI Security Standards Council (PCI SSC) announced expected changes to be introduced with version 2.0 of PCI and Payment Application data security standards in October 2010.
The PCI SSC is a global, open-industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS).
In an effort to provide greater clarity and ongoing transparency, the summary from the PCI SSC will help all organizations involved [image-nocss] in payment card security prepare to align their PCI security programs with the updated standards.
Participating organizations will have the opportunity to discuss these changes at the PCI SSC annual community meetings in Orlando and Barcelona, prior to the publication of the final standards on Oct. 28.
As part of the planned standards lifecycle process, the proposed changes were developed with input and ongoing industry feedback received from merchants, banks, processors and vendors in the PCI community.
Version 2.0 of PCI DSS and PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include: Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides. Support for centralized logging included in PA-DSS to promote more effective log management. Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities. Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices.
"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," said Bob Russo, general manager, PCI Security Standards Council. "With the changes to the PCI DSS and PA-DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."
The document will help stakeholders begin to prepare for discussion of the new versions of the PCI DSS and PA-DSS at the forthcoming community meetings in the United States and Europe. A more detailed summary of changes and pre-release versions of the revised standards will also be provided to participating organizations in early September.
"The council continues to promote active participation in the development of the standards," said Michael Reidenbach, executive vice president and worldwide chief information officer at Global Payments Inc., and member of the PCI SSC Board of Advisors. "The summary of changes not only gives stakeholders the information they need to plan for the updated standards, but also encourages industry involvement in shaping payment card security."
Click hereto read the summary of changes.
The PCI SSC also invites participating organizations and the public to a webinar that covers the summary of changes in greater depth to be held on Tuesday, Aug. 24, at 3 p.m. ET/noon PT, and Thursday, Aug. 26, at 11 a.m. ET/8:00 a.m. PT.
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.