September is a big month for the Payment Card Industry Data Security Standard (PCI DSS), with the new regulations introduced.
As detailed by SC Magazine in August, the new requirements will officially be introduced from January 2011, while the old standard will ‘sunset' at the end of December 2011. In an interview with SC Magazine, Jeremy King, the Security Standards Council's (SSC) European director, said that he was aiming to increase participation and increase awareness of PCI in Europe.
Alex Teh, commercial director of distributor Vigil Software, looks at some of the main questions around PCI DSS compliance, and offers some answers to the most frequently asked questions.
Q: What is PCI and what does it apply to?
A. The Payment Card Industry Data Security Standard (PCI DSS) is a set of directives established by the leading global credit card organisations including Barclays, Visa, MasterCard and Amex. The standard, which is issued by the PCI Standards Council, sets out guidelines to ensure that companies handling credit card transactions adopt best practises to protect sensitive data such as credit card numbers, addresses and pin numbers from falling into unauthorised hands. Companies failing to demonstrate they comply with the guidelines are liable to incur financial penalties for failing to protect customer data adequately.
The original PCI DSS v1.2 published in November 2008 ensured that compliant organisations build and maintain a vulnerability management program, implement strong access control measures, monitor and test networks and maintain an information security policy.
Q. What is the September deadline and who does it apply to?
A. 30th September is the deadline set by Visa and MasterCard by which all merchants must comply with the original v1.2 guidelines or risk being fined for non-compliance.
Q. What are the latest guidelines due to be published at the end of October 2010?
A. Version 2.0 of the PCI DSS is scheduled to be published on 28th October 2010. Open meetings are being held in September in Europe and the US, and the anticipated effective date is 11th January 2011. The new requirements are outlined in the PCI DSS whitepaper available for free download at PCI Changes. Some important highlights are:
- Clarification recommending a discovery process to make sure all credit card related data is covered by security measures – this can be achieved by performing a periodical discovery process.
- Guidance on virtualisation and DMZ settings.
- An evolving requirement for centralised logging of payment transactions - probably not to be used in the US.
- Validation, within certain requirements, of risk-based approach to addressing vulnerabilities, allowing organisations to consider their specific business circumstances and tolerance to risk when assessing and prioritising vulnerabilities.
Q. What has prompted the new revisions?
A. They are derived as part of the ongoing lifecycle process based on input from merchants, banks, processors and vendors within the PCI community. The intention is to improve the flexibility of organisations to implement controls, better manage evolving threats and address scoping and reporting issues. They also increase alignment between the PCI DSS and the Payment Application Data Security Standard (PA DSS) making it easier to comply with both standards.
Q. Who should you contact to get help in meeting compliance guidelines?
A. Security specialists can provide guidance and assistance to companies seeking to meet the latest guidelines. We offer a free compliance audit to help identify areas of potential vulnerability in the context of your overall business.
There are also multiple security products available on the market to help companies navigate through the compliance requirements and automate the processes to secure confidential data. Ultimately it will be the quality security assessors (QSAs) who will determine whether or not your organisation complies with the requisite guidelines.