Due out in October, PCI Update Will Consist of Tweaks, Council Says

The rules for protecting cardholder data will be updated in October, the PCI Security Standards Council announced on Wednesday. The PCI Council, the organization the payment card networks set up in 2006 to oversee the so-called Payment Card Industry data-security standard, or PCI DSS, is billing the coming changes more as tweaks than as a radical makeover of the rules that have drawn fire from many merchants. The revisions, to be dubbed PCI DSS Version 1.2, will not add any major requirements to the 12 already in place in the current Version 1.1, PCI Council General Manager Robert Russo tells Digital Transactions News. “We're refining things that need to be refined,” he says. The upgrade is likely to address the security of payment card data transmitted over wireless networks, a topic that moved to the top of the worry list when supermarket chain Hannaford Bros. Inc. reported a hacker had intercepted authorization data in transit (Digital Transactions News, March 18). The Wakefield, Mass.-based council isn't saying what the final draft will say, but at the least, some confusing language in Version 1.1 regarding wireless security will be removed. The end product won't be simply a reaction to the Hannaford breach, according to Russo. “It's based on the way the world is changing,” he says. Related topics of high interest include the security of payment applications linked to the Internet, along with so-called penetration testing of applications and network systems to assess their vulnerability to hackers. Sections 6.6 and 11.3 of the current standards, respectively, cover those areas. Last month, the council released informational supplements about those subjects. Version 1.1 has been in place since September 2006. Russo says the rules come due for revisions about every two years, and Version 1.2 will be the result of addressing some 2,000 questions put to the PCI Council as well as input from various PCI-related groups and assessors. “Contrary to popular belief, it's not the intent of the council to put everybody out of compliance by upgrading to a new version,” says Russo. Should the final draft of 1.2 call for anything that will take time to implement or otherwise impose a significant change, the council would label it as a “best practices” operation that would not be mandated for six months or longer, he says. That's the current situation with section 6.6, which covers such things as firewalls for Web-facing applications and which becomes mandatory June 30 after 18 months as a best practice. The revisions also will incorporate existing and new best practices; clarify reporting requirements, eliminate overlapping sub-requirements, and consolidate documentation. Version 1.2 also will have an updated glossary and frequently asked questions section, Russo says. Although the PCI Council is portraying the coming changes as anything but onerous, merchants and others that must comply with the rules still have worries, according to David Taylor, founder of Stamford, Conn.-based PCI Knowledge Base, a security research firm, and research director of the PCI Security Vendor Alliance. “If it was a major change in the standards, the question would be how does it affect people's existing investment,” he says. He adds that PCI Knowledge Base has just wrapped up open-ended interviews with 120 security executives.