Changes to PCI rules a step in the right direction, analysts say
A major revision to the data security standard was announced last week
Computerworld - Last week's enhancements to the Payment Card Industry Data Security Standard and the creation of a new company for managing the standard should help alleviate some core issues related to its adoption, analysts said.
The PCI standard is a set of 12 security requirements that all entities handling credit cards were expected to have in place by June 2005. The standards call for, among other things, the encryption of cardholder data, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. The requirements are being promoted by all of the major payment brands, including American Express Co., Visa International Inc., MasterCard Worldwide, Discover Financial Services and Japan Credit Bureau.
Last week, the companies released Version 1.1 of the standard, featuring some expected changes (download PDF). They also announced the creation of the PCI Security Standards Council LLC, a Wakefield, Mass.-based company that will be responsible for developing and maintaining the standards.
Both moves have been expected for some time now, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. Even so, the announcements should help drive broad adoption of the standard, he said.
One of the most significant changes in the new version is the allowance for companies to put in compensating controls in cases where they are unable to implement a prescribed requirement because of technical or cost reasons. For instance, firms that find it difficult to encrypt stored cardholder data will no longer be absolutely obligated to put that specific control in place -- as long as they can verifiably demonstrate other equally good measures for mitigating risk to the data, said Seana Pitt, chairwoman of the new company.
As long as companies can demonstrate to a PCI auditor that they are meeting "the end goal of protecting the data" via compensating controls, they will be considered in compliance with PCI requirements she said.
The flexibility is especially crucial when it comes to the encryption requirement, because many large companies have been struggling with that issue, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. "What this means is that companies can relax a bit about encryption, though it is not asking them to quit" entirely, she said.
"I think most of the problems implementing the previous version of the standard was around this issue of database-field-level encryption," said Amichai Shulman, chief technology officer at Imperva Inc., a Foster City, Calif.-based security vendor. "I think this makes it more practical to implement the requirements of this standard."
The release of Version 1.1 of the PCI standard is also likely to clear up confusion that may have existed regarding the acceptability of compensating controls, Litan said. "They have never recognized [the use of compensating controls] in writing. Everyone knew you could have compensating controls when you worked with a PCI assessor, but it was never acknowledged officially."
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!