PCI DSS 2.0: On the Right Track!
October 2010 saw the introduction of a new version of the payment card industry data security standard (PCI DSS). Understand the implications of changes within PCI DSS 2.0 and how they will affect your organization. This note covers the most significant changes to the PCI DSS and introduces a means to address those changes.
The people who put together the payment card industry data security standard (PCI DSS) make a genuine attempt to be straightforward and have a very active feedback loop for improvements. True to this style, the changes are all published explicitly in a summary of changes. The document outlines minor adjustments mostly in the vein of clarifications and additional guidance.
The only actual requirement changes in 2.0 fall under the category of “evolving requirements.” These include changes to the way high vulnerability risks are reported in section 6.1a. Specifically, a new ranking system for system vulnerabilities (a risk management best practice) is introduced, though it won’t be made an official requirement until June 2012. This means that when vulnerabilities are introduced, they must also be ranked from highest to lowest priority. PCI DSS recommend using a best practice ranking system such as the Common Vulnerability Scoring System (CVSS); see Figure 1 below or vendor supplied patch ratings (i.e. High, medium, low) defined by vendors for their own security patches.
Figure 1. Common Vulnerability Scoring System
Source: Forum of Incident Response and Security (FIRST)
Impact on IT
So how does this impact IT leaders? Given most small and mid-sized enterprises cannot justify investing in professional assistance for PCI DSS interpretation and compliance, the clarifications and examples provided are welcomed by the DIY crowd. The second version of PCI DSS aims to ease newbies into best practices in data security, not to force those who already put in heavy effort to comply with new and more challenging standards.
The Payment Card Industry Security Council recognizes that small retailers may have difficulty putting efforts into compliance. Rather than adding more stringent requirements, the second version of PCI DSS is aimed at increasing clarification through new examples and more tactical recommendations than in the original version. Aside from the minor change regarding rankings, there are no requirement changes so that those organizations which have already begun compliance efforts through PCI DSS can continue with them. Referencing the newer documentation is helpful because it is intended to be an easier, more prescriptive guide.
- Organizations that haven’t looked at PCI DSS but process payment cards. Whether your organization is going to be held accountable by the bank for compliance or not, PCI DSS has good guidelines to help protect clients’ card data and reduces the risk of litigation. The new PCI DSS is easier to understand and is the perfect excuse to start evaluating current payment card related processes.
- Organizations already into PCI DSS. Don’t worry, unlike other frameworks, PCI DSS changes are made for the sake of adopters, not consultants and certification bodies. The payment card industry council isn’t concerned if your organization still adheres to the initial version of PCI DSS; they’re just happy you know how to spell it. The majority of retailers have a lot of ground to cover in improving data security standards for payment card processing – pat yourself on the back and gradually adopt version 2.0 when you need to reference the literature.
- Everyone else. Don’t process payment cards? PCI DSS is still an excellent data security framework and should be considered by any IT professional that is looking to adopt security best practices.
For more guidance on the PCI DSS compliance, refer to the Info-Tech solution set, Develop a Strategy for PCI DSS Compliance.
October 2010 saw the introduction of a new version of the PCI DSS. Understand the implications of changes within PCI DSS 2.0 and how they will affect your organization. This note covers the most significant changes to the PCI DSS and introduces a means to address those changes.