PCI DSS version 2.0 released – What it means to our clients
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard applies to all organisations that either store, process or transmit payment card data. On October 28th 2010 the Payment Card Industry Security Standards Council (“the Council”) published its latest version of the standard known as PCI DSS v2.0.
PCI DSS v2.0 communicates the Council’s intention to provide effective and efficient data security standards that, when implemented correctly, will protect payment card data.
The good news for organisations that are compliant with the existing standard PCI DSS v1.2.1 is that the changes made within v2.0 do not represent a step change in control requirements, simply evolution that recognises the maturity of the existing standard.
What the new standard does provide is additional flexibility in some areas, additional guidance in others and a reducing in duplication. In short, the new standard helps organisations bring some economies to their PCI DSS compliance through greater clarity.
- The lifecycle for the new standard has been extended from 2 to 3 years.
- There is additional guidance to assist organisations in identifying and documenting the scope of their payment card environments. As a result, 7Safe has seen a marked increase in demand for 7Seec (7Safe’s payment card discovery tool) to assist our clients in discovering the locations of unprotected Primary Account Numbers (PANs).
- Recognition of virtualisation technologies and how these should be treated.
- Additional guidance on the sampling to be undertaken by an assessor.
- Provided additional instructions for the content of the Report on Compliance (RoC). This is the report issued by the independent PCI Council approved qualified security assessor (QSA).
- Clarifications and additional guidance for the testing procedures for each of the 12 requirements.
The good news is that the intent of each requirement has not changed and therefore the underlying control structure implemented by organisations for compliance is not expected to change significantly. Secure technology, policies, procedures and practices to protect payment card data will continue to be required.
Organisations can assert their compliance with the PCI DSS v2.0 with effect from January 2011. For those organisations who are currently working with PCI DSS v1.2.1 they can continue to do so until December 2011. After this date, all organisations will be required to assert compliance with the PCI DSS v2.0.
“Greater clarity, recognition of evolving technologies, improved guidance, and extended lifecycle”*. … that’s the sign of a mature standard – something that business can plan and embed into their regular commercial activities.
Early transition to PCI DSS v2.0 is likely to be the best option for most organisations. Naturally, all new 7Safe engagements undertaken from this stage onwards will focus on v2.0 and for those who are “mid-journey”, our PCI Consultancy team will / have been in touch to discuss how the transition will affect current and on-going works.
*Michael Christodoulides – 5th November 2011
