Changes to PCI rules a step in the right direction, analysts say
A major revision to the data security standard was announced last week
Computerworld - Last week's enhancements to the Payment Card Industry Data Security Standard and the creation of a new company for managing the standard should help alleviate some core issues related to its adoption, analysts said.
The PCI standard is a set of 12 security requirements that all entities handling credit cards were expected to have in place by June 2005. The standards call for, among other things, the encryption of cardholder data, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. The requirements are being promoted by all of the major payment brands, including American Express Co., Visa International Inc., MasterCard Worldwide, Discover Financial Services and Japan Credit Bureau.
Last week, the companies released Version 1.1 of the standard, featuring some expected changes (download PDF). They also announced the creation of the PCI Security Standards Council LLC, a Wakefield, Mass.-based company that will be responsible for developing and maintaining the standards.
Both moves have been expected for some time now, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. Even so, the announcements should help drive broad adoption of the standard, he said.
One of the most significant changes in the new version is the allowance for companies to put in compensating controls in cases where they are unable to implement a prescribed requirement because of technical or cost reasons. For instance, firms that find it difficult to encrypt stored cardholder data will no longer be absolutely obligated to put that specific control in place -- as long as they can verifiably demonstrate other equally good measures for mitigating risk to the data, said Seana Pitt, chairwoman of the new company.
As long as companies can demonstrate to a PCI auditor that they are meeting "the end goal of protecting the data" via compensating controls, they will be considered in compliance with PCI requirements she said.
The flexibility is especially crucial when it comes to the encryption requirement, because many large companies have been struggling with that issue, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. "What this means is that companies can relax a bit about encryption, though it is not asking them to quit" entirely, she said.
"I think most of the problems implementing the previous version of the standard was around this issue of database-field-level encryption," said Amichai Shulman, chief technology officer at Imperva Inc., a Foster City, Calif.-based security vendor. "I think this makes it more practical to implement the requirements of this standard."
The release of Version 1.1 of the PCI standard is also likely to clear up confusion that may have existed regarding the acceptability of compensating controls, Litan said. "They have never recognized [the use of compensating controls] in writing. Everyone knew you could have compensating controls when you worked with a PCI assessor, but it was never acknowledged officially."
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!