Standards body announces next step in standards development with publication of summary of PCI DSS and PA-DSS changes

Standards body announces next step in standards development with publication of summary of PCI DSS and PA-DSS changes

Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS) managing body, the PCI Security Standards Council (PCI SSC) has published documentation highlighting the expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS in October 2010.

In an effort to provide greater clarity and ongoing transparency, it said that this summary will help all organisations involved in payment card security prepare to align their PCI security programmes with the updated standards.

Participating Organisations will have the opportunity to discuss these changes at the PCI SSC Annual Community Meetings in Orlando and Barcelona, prior to the publication of the final standards on 28 October.

Taking iterative community feedback

As part of the planned standards lifecycle process, the proposed changes were developed with input and ongoing industry feedback received from merchants, banks, processors and vendors in the PCI community. This was gathered both through the Council’s formal feedback period and additional channels such as industry events, the PCI SSC’s ‘Open Mic’ series and online FAQ.

The council reported that hundreds of pieces of feedback were received during this process, with more than half originating from outside the US. As a result of this input, revisions categorised as clarifications, additional guidance and evolving requirements improve the flexibility of organisations to implement controls, better manage evolving threats and address scoping and reporting elements. Changes have also been designed to increase alignment between the PCI DSS and PA-DSS, making it easier to achieve compliance with both standards, the body added.

Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Instead the PCI SSC said key updates, clarifications and guidance included:

• Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides;
• Support for centralised logging included in PA-DSS to promote more effective log management;
• Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organisations to consider their specific business circumstances and tolerance to risk when assessing and prioritising vulnerabilities;
• Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices.

“The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data,” said Bob Russo, general manager, PCI Security Standards Council. “With the changes to the PCI DSS and PA-DSS outlined in advance, organisations will be better prepared to align their security programmes with the updated standards and ensure security of their cardholder data.”

Getting ready for the updates

The document will help stakeholders begin to prepare for discussion of the new versions of the PCI DSS and PA-DSS at the forthcoming Community Meetings in the US and Europe. A more detailed summary of changes and pre-release versions of the revised standards will also be provided to Participating Organisations in early September.

“The Council continues to promote active participation in the development of the standards,” said Michael Reidenbach, executive vice president and worldwide chief information officer at Global Payments, and member of the PCI SSC Board of Advisors. “The summary of changes not only gives stakeholders the information they need to plan for the updated standards, but also encourages industry involvement in shaping payment card security.”

The summary of changes highlights document is available on the PCI SSC website.