News Stay informed about the latest enterprise technology news and product updates.

Next version of PCI DSS due in September

PCI Security Standards Council GM Bob Russo says tweaks and clarifications are expected in the areas of wireless and application security.

SAN FRANCISCO -- PCI Security Standards Council General Manager Bob Russo said merchants can expect the next revision to the Payment Card Industry Data Security Standard in September.

I can't really tell you if it's going to be a rev, or a new version number ... anything that gets changed is something you've got to address.
Bob Russo,
general managerPCI Security Standards Council

"I can't really tell you if it's going to be a rev, or a new version number. In my mind, it doesn't really matter if it's a 1.2 or a 2.0; anything that gets changed is something you've got to address," Russo said. "It won't be anything too drastic. It will be based on input we've gotten over the last year and a half from all of our stakeholders."

Russo said some of the areas that will be tweaked or clarified will be around wireless implementations, application security and pre-authorization.

Russo is attending RSA Conference 2008, where thousands of IT security professionals have gathered this week. PCI and compliance issues are among top concerns of conference attendees.

Ongoing RSA '08 coverage: and Information Security magazine editors are in San Francisco to bring you the most detailed coverage of RSA Conference 2008. Check back often for the latest news stories, interviews, podcasts, videos and blog tidbits from one of information security's biggest annual events.
>>>Visit RSA Conference 2008

Russo said that the PCI standard lives on a two-year lifecycle, and the next version comes due in September. A beta version of the standard will be released in August to the council's 500 participating organizations, as well as all of the council's qualified security assessors for feedback. They'll have 30-45 days to look it over for a "sanity check," Russo said. "It's a pretty good checks-and-balances system."

Russo said that additional guidance and clarification will be available in May for requirement 6.6, which moves from best practice to mandatory on June 30. PCI 6.6 has been the subject of some confusion for merchants trying to interpret how it's written. . The section, which falls under the main heading of developing and maintaining secure systems and applications, covers the security of Web-facing applications. As of June 30, it will mandate that Web apps be protected against known attacks by either having custom code reviewed by a third party, or by installing an application-layer firewall in front of a Web app.

Podcast: Interview with Bob Russo of the PCI Standards Council
Security Wire Weekly: PCI assessors run amuck? Bob Russo, general manager of the PCI Security Standards Council, explains what the council is doing to ensure that compliance assessors don't try to force particular vendors and products on businesses as the condition for a passing grade. 
Download MP3 | Subscribe to Security Wire Weekly

"There are guidance documents coming out that will clarify a lot of this stuff before June," Russo said.

The council recently posted a new document on its site called Navigating the DSS, which goes through each of the requirements in detail, explaining the intent and how requirements can be met.

The confusion over 6.6 rests in the either-or nature of the wording.

"Personally, I'd love to see everyone go through on OWASP-based source-code review, but certainly, that's not going to happen," Russo said, referring to the expensive and time-consuming process of manual code reviews. "So the application firewall is probably the best thing to do, but there needs to be some clarification around what it needs to do. That clarification is coming; that's been the biggest question."

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.