A quick introduction to PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
The PCI DSS aims to facilitate the broad adoption of consistent data security measures on a global basis. These data security standards cover everything from the point of entry of card data into a system, to how the data is processed, through secure payment applications. The PCI Security Standards Council seeks to protect and educate industry players such as merchants, processors, financial institutions, and any other organizations that store, process, and transmit cardholder data around the world.
PCI DSS version 2.0
The release of the new PCI DSS version, numbered 2.0, seems to be a source of relief to many organizations in the credit card industry as it introduces only a few new requirements and offers greater clarification and guidance to help merchants with their compliance efforts. While there were fears that the PCI Security Standards would introduce dramatic changes between version 1.2 and 2.0, instead it does much to sharpen standards with guidance and clarification of the main themes.
With 2.0, the PCI Standards Council is trying to strike a balance between its goal as a standard for securing cardholder data with the realities of implementation by the merchant and vendor communities. The changes and guidelines are more about the administration of the PCI compliance process. Organizations already compliant with 1.2 will not find it difficult to comply with 2.0.
New approaches and standards
The new standard provides a much clearer timeline for compliance with the January 2012 deadline, giving organizations time to plan and move to version 2.0. However, unlike the previous version, PCI DSS 2.0 takes a more risk-based approach, providing Qualified Security Assessors (QSAs) in organizations with more discretion in deciding what level of security is appropriate to the circumstances.
For example, the standard in encryption key management that has always required keys be refreshed annually has now been relaxed, allowing QSAs to make an informed decision on when to refresh. The new standard also advocates the value of storing system logs, both to avert attacks and trace the cause of any breach. With updated system logs and effective software solutions, organizations would be able to detect earlier if systems are being attacked.
Among the clarifications in the PCI is the reinforced need for merchants to use a "discovery methodology" to find cardholder data in their networks as well as guidance on how security should be handled with new technology such as virtualization and cloud computing. While most organizations seem to have welcomed the renewed focus on risk, a few preferred regulations detailing what exactly should be done. The new standard moves away from Open Web Application Security Project (OWASP) to allow for others. The standard also leans support to virtual machines running on a physical server as long as each serves one primary function.
Conclusion
Though the standard has not changed any paradigms, it has rationalized and adopted a more pragmatic approach. It has moved away from rigid requirements around vulnerability management, lack of support of virtualization and OWASP to a risk-aligned vulnerability management, support of virtualization and key guidance on log management. Overall the new standard provides greater clarity on security requirements, improves flexibility for merchants, helps manage evolving risks, aligns with industry best practices and decreases redundant sub-requirements.