Next-Generation Technologies & Secure Development

New PCI Standards Finalized

Questions Still Remain About EMV, Tokenization
New PCI Standards Finalized
While there are no significant changes in the latest iteration of the Payment Card Industry Data Security Standard, outstanding questions remain about the emerging technology guidance that was released earlier this month.

The final version of PCI version 2.0 has just been released this week. It goes into effect on Jan. 1 but impacted entities have until Dec. 31, 2011, to become fully compliant.

"The biggest thing we've learned from this round of changes is that the PCI standards are maturing, and maturing gracefully," says Bob Russo, general manager of the PCI Security Standards Council, which oversaw the latest round of revisions, and while there are not many changes to the standard this time around, "it is clear to the council that different technologies that offer additional layers of security will be very important moving forward," Russo says.

PCI 2.0

There are 12 proposed changes in versions 2.0 of the PCI-DSS, as well as the PCI Payment Application Data Security Standard. The changes fall into three main categories:

  • Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
  • Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
  • Evolving Requirement: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.

Key updates include:

  • Reinforcement of the need for a thorough scoping exercise prior to the PCI-DSS assessment, in order to understand where cardholder data resides;
  • Support for centralized logging included in the PCI PA-DSS to promote more effective log management;
  • Validation, within certain requirements, of a risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities; and
  • Greater alignment between PCI-DSS and PA-DSS requirements to facilitate stronger security practices.

Those amendments were first introduced in August and then discussed at length during the North American PCI Community Meeting in September.

See Also: Cyber Insurance Assessment Readiness Checklist

Emerging Technologies

Emerging technology standards, including ones on tokenization and encryption will be addressed in the future, Russo says. The council issued its first guidance on EMV and encryption during in October.

"When we first started looking at the emerging technologies, we looked at strengthening the existing standards by adding additional layers of technology, including EMV, point-to-point encryption and tokenization," Russo says. EMV is the chip standard that has been widely adopted throughout Europe as well as other parts of the world, including Canada and Mexico. EMV aims to replace magnetic-stripe technology, which continues to linger in the U.S.

The PCI Council reached out to industry security experts on these emerging technologies. "There was great interest in these emerging technologies, and some very large special interest groups have been working on the guidance," he says. In fact, the council's whitepaper on EMV was reviewed by EMVCo, the body that created the standard. "It is a start, and the groups will be making some recommendations going into 2011 on the EMV and encryption technologies, along with tokenization," Russo says. No standards exist for point-to-point, or P2P, encryption and tokenization. "We will have to study how they cut the cardholder data environment, and, therefore, possibly cut the scope," he says.

Training, Merchant Education

An additional program the PCI Council announced is the PCI Internal Security Assessor Program. The program offers training to help corporations internally assess their security programs.

The PCI Council also is opening a micro website for retailers who need more information and education about PCI requirements and compliance. This website's unveiling comes at the right time, as security experts recently noticed a PCI compliance gap between larger retailers and smaller merchants. Criminals are beginning to move "down the food chain to target Level 3 and Level 4 retailers with cyber and physical attacks," Russo says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.