PCI Council Releases ‘Steady as She Goes’ Update of Security Rules

The new version 2.0 of the Payment Card Industry data-security standard (PCI) came out Thursday, an upgrade the PCI Security Standards Council says contains no major changes. Still, a document summarizing all the tweaks to the major card networks' common set of data-protection rules runs 20 pages in length. Among the more notable developments: the revision places more responsibility on merchants to find cardholder data in their computer systems ahead of their PCI audits, and the Council took steps to help small merchants meet their PCI duties.

“This really is almost steady as she goes,” Jeremy King, the Wakefield, Mass.-based PCI Council’s European regional director, tells Digital Transactions News. “We’ve not had to make any significant changes from [version] 1.2 to 2.0.” The PCI rules apply worldwide.

The Council simultaneously upgraded the closely related rules governing card-processing software, the Payment Application data-security standard, or PA-DSS. Going forward, the Council will update those two standards and another one, the PIN transaction security requirements (PTS), every three years. Many companies thought the current two-year upgrade cycle was too short, according to King. PCI version 2.0 takes effect Jan. 1, though merchants can still validate themselves against version 1.2 until Dec. 31, 2011, depending on their individual circumstances, King says.

While version 2.0 adds no major new rules, it does make many of what the Council calls clarifications or provides additional guidance. One of the most important of these is new language involving the scope of PCI compliance—the extent to which a merchant or processor’s computing and data-transmission systems store or pass cardholder data. If they touch the data, they’re “in scope.” Before their annual PCI audits, companies are now supposed to inform their Qualified Security Assessor (QSA) of every place card data could reside on their systems, the idea being to help the QSA at the outset and to make merchants aware that cardholder data could be stored in places they might not think of.

“If you’re a merchant you need to understand where your cardholder data is,” says James Paul, senior vice president of delivery at Chicago-based Trustwave Holdings Inc., which has more than 120 QSAs on staff. “I think a lot of folks are doing that already,” but he adds that the practice “needs more work” by many merchants.

Version 2.0 also adds a best practice, or what the Council calls an “evolving requirement,” to rule 6.2 about risk ranking that becomes mandatory July 1, 2012. Companies subject to PCI are supposed to identify their security vulnerabilities and state how they plan to mitigate them. These self-assessments could lead to some differences of opinion between QSAs and merchants, though they also could get merchants more involved in the PCI process. “We don’t love this because it introduces a gray area,” [but] “it’s an example of the Council attempting to be as flexible as possible,” says Paul.

The Council also is trying to be more accommodating with small merchants, according to King. Many still aren’t PCI compliant and find the whole process daunting. In one example, merchants may now visually ascertain the “rogue access points” in their computer systems that could enable Internet-based hackers to get in rather than using automated tools. For a small merchant with a single card-processing PC, that might be a visible wire to the outside. Version 1.2 did not explicitly permit visual inspections. “Actually we’re trying to give them more flexibility, so they [small merchants] don’t have to go and invest in a wireless analyzer,” says King. Visual inspections won’t suffice for mid-sized and large merchants with more complex systems. The PCI Council also is launching an informational Web site for merchants that includes a micro site specifically for small merchants.

Other notable changes include clarification that the primary account number (PAN) is the key piece of data that needs protection, and clarifications calling for more centralized log management to track activity on computer systems. Many systems have decentralized logs that can record when and how a data breach happened, but such information often is buried, King says. Also, the rules now acknowledge the growing practice of virtualization, which broadly speaking enables merchants to use multiple operating systems on a single server or host computer.

Links to the new versions of PCI and PA-DSS as well as the summaries of changes and related documents can be found at: www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&assocation=PCI%20DSS.