The Payment Card Industry Security Standards Council (PCI SSC) issued version 2.0 of the Payment Card Industry Data Security Standards (PCI DSS) this week, making widely available the new document, which contains 12 minor changes.
PCI DSS 2.0 takes effect on Jan. 1, but merchants won't have to become fully compliant with the new version until Dec. 31, 2011. The release of PCI DSS 2.0 also begins a new three-year lifecycle of the development cycle. The document won't undergo any further changes until 2014.
The updated standards don't introduce any major requirements, according to the council. Most of the PCI changes (.pdf) are minor language adjustments to clarify the meaning of the requirements. The changes reinforce the need for thorough scoping prior to an assessment and promote more effective log management. Other changes broaden validation requirements for the assessment of vulnerabilities in a merchant environment, giving merchants the ability to use industry best practices to prioritize vulnerabilities.
The new document also closely aligns PCI DSS with the Payment Application Data Security Standards (PA DSS).
In this interview, Jeremy King, the European director of the PCI SSC discusses the changes in more detail and where the industry is headed.
You must have Adobe Flash Player 7 or above to view this content.See https://www.adobe.com/products/flashplayer to download now.
Download for later:
PCI DSS 2.0 Finalized
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As
PCI DSS 2.0: PCI assessment changes explained
PCI DSS expert Ed Moyle explains how the changes in PCI DSS 2.0 will affect companies during the PCI assessment process.
PCI 2.0 guide: How have PCI compliance requirements changed?
In this PCI 2.0 learning guide, you will learn how the PCI compliance requirements have changed, if those changes have improved the standard and how the changes will affect your environment.