A reinforcement of the need for a thorough scoping exercise, support for centralised logging and validation of a risk-based approach are among the requirements in the revised PCI standards.
The standards from the PCI Security Standards Council (PCI SSC) for the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS) have been published with the expected changes detailed.
The PCI Security Standards Council (SSC) clarified in the interview with the council's European director Jeremy King that the standard has been shared with participating organisations over the summer, with the new standard introduced from January 2011, while the old standard will ‘sunset' at the end of December 2011. The standard will be discussed at the PCI SSC annual community meetings in Orlando, Florida and Barcelona, prior to the publication of the final standards on 28th October.
Talking to SC Magazine, Bob Russo, general manager of the PCI SSC, said that the changes were the direct result of the new lifecycle and were intended to give greater clarity within the requirements.
He said: “This is a high level survey so users can get an idea of what to expect. In September we will release the changes and users can understand what they are expected to do.
“DSS reinforcers need to take scoping to a higher level, and we are now encouraging people to do some kind of methodology. We say use a tool or data loss prevention to find where the data is in the network before you start an assessment and also says finding data in the networks is important to know it is there.”
There is an encouragement to do efficient logging in the PA-DSS standard, as Russo explained that this was introduced as ‘the more places there are to look the less likely people are to do it'.
There is also a consideration of a risk-based approach when addressing vulnerabilities. Russo said: “Requirement 6.2 says you can talk about a vulnerability with a qualified security assessor (QSA) and economise for risk tolerance within your business circumstances to make it more flexible.
“Also when people are using an external database, we reference them and say it is a good thing and encourage them to use them.”
Asked if this referred to better management of cloud-hosted databases, Russo said that was part of it, but it was also with an eye on outsourced applications and it was saying to look at any external database.
Russo also commented on claims that the standards are ‘US-centric', claiming that 50 per cent of the feedback that led to the requirement changes were from outside the US. “That is testament to the fact that this really is a global standard,” he said.
“The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data. With the changes to the PCI DSS and PA-DSS outlined in advance, organisations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data.”