No major PCI DSS revision expected in 2010

By Robert Westervelt, News Editor 27 Jan 2010 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

PCI Security Standards Council general manager Bob Russo said the next revision of the Payment Card Industry Data Security Standard (PCI DSS), due in October, will contain clarifications but no major changes to the standard.

"There won't be any surprises," Russo said. "We're more likely to see guidance documents."

Encryption, virtualization and the use of more secure payment terminals are expected to gain more attention. Those topics have been the focus of several special interest groups managed by PCI SSC and a study of emerging technologies to help shape future versions of the standard, Russo said. The organization is also ruminating Chip and PIN technology, though no PCI DSS revisions are anticipated on the issue in 2010.

PCI DSS changes take place on a two-year revision schedule, with the last major update released in 2008. The organization gathers about four months o...

Tags: PCI Data Security Standard,  Disk Encryption and File Encryption,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Raising the bar on compliance success PCI DSS 1.1: Strategies for compliance Tokenization vs encryption: RSA touts tokens to reduce PCI DSS pain NuBridges update enables simultaneous data center tokenization PCI tokenization guidance could benefit payment processors Ease credit card risks: POS encryption and data tokenization for PCI PCI compliance encryption includes hardening key management systems The cost of an audit: Choosing a competent PCI DSS QSA PCI security compliance experts share ways to get compliance 'done right' How to change from WEP to WPA for PCI DSS compliance Disk Encryption and File Encryption Tokens vs encryption: RSA touts tokens Tokenization vs encryption: RSA touts tokens to reduce PCI DSS pain NuBridges update enables simultaneous data center tokenization Choosing smartphone encryption software for mobile smartphone security Use full disk or file/folder encryption for laptop data security Symantec acquisitions cement encryption-as-a-feature Information Security magazing June issue PDF MD5 security: Time to migrate to SHA-1 hash algorithm? PCI compliance encryption includes hardening key management systems Symantec acquires PGP, GuardianEdge for encryption, key management Identity Theft and Data Security Breaches Verizon data breach report 2010: Insider breaches on the rise Black Hat: Targeted network security attacks beating forensics efforts Information Security magazine - July-August issue PDF Mass. hospital deals with lost backup data files Tokenization vs encryption: RSA touts tokens to reduce PCI DSS pain Create a data breach response plan in 10 easy steps Apache.org suffers attack, warns of password breach Stolen portable media device blamed in breach of 3.3 million TJX hacker gets 20 years in prison in Heartland case Twenty-year prison sentence in TJX hacking case

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) Qualified Security Assessor (QSA)  (SearchSecurity.com) Report on Compliance (ROC)  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

f feedback from council members followed by a meeting of its Board of Advisors in which any proposed changes are put in place. A draft revision of the new standard is due in May, and the organization will gather any remaining feedback at its community meetings in September. The updated PCI DSS standard would be finalized and made public by mid-October, along with any revisions made to the Payment Application Data Security Standard (PA DSS), Russo said. A revision to the PIN Entry Device Security Requirements, also maintained by the organization, is due in April.

Rather than a major PCI DSS revision, this year the council expects to release guidance documents to help merchants being bombarded by vendors with new card data protection technologies.

A topic deserving further study is end-to-end encryption, Russo said. Robert Carr, CEO of Heartland Payment Systems Inc., which announced last year that it suffered a massive breach as a result of a SQL injection flaw, has been pushing the industry to adopt more comprehensive encryption measures. Heartland has worked with Voltage Security Inc. to develop its E3 secure payment system. But Russo said the term "end-to-end encryption" hasn't been clearly defined and added that tokenization, a facet of a payment strategy being introduced by EMC Corp.'s RSA security division and payment processing giant First Data Corp., introduces similar security issues.

"End-to-end encryption is a catchphrase because at a certain point along the line, the data needs to be decrypted," prompting key management questions, Russo said. "Key management introduces a whole new series of issues that could cause you to be less secure."

Russo said he doesn't expect an end-to-end encryption special interest group will study the issue. Instead encryption within the payment process will be addressed when other technologies that affect the payment process are identified and studied. The Virtualization Special Interest Group, due to recommend guidance in March on protecting card data within virtualized environments, will address the role of encryption as well, Russo said.

"Unfortunately there are so many different technologies that merchants may have started down the path with that we need to be careful and study them before prescribing them in the standard," Russo said.

Chip and PIN technology is also gaining increased attention among the card brands, Russo said. A special interest group is studying Chip and PIN, which is popular in Asia, Europe and being phased in at payment terminals in Canada. The technology replaces the magnetic strip on the back of a card with an embedded microchip and adds a four-digit PIN to confirm a payment. The issue is being pushed by lawmakers. At a congressional subcommittee hearing on the adequacy of PCI DSS to protect cardholder data, several lawmakers called on the industry to move forward with Chip and PIN to reduce data theft and bolster the protection of transactions.

"The rest of the world is using some form of Chip and PIN so we can't ignore it," Russo said. "It's an enormous endeavor and implementing this poses huge costs."