Changes to PCI rules a step in the right direction, analysts say
A major revision to the data security standard was announced last week
Computerworld - Last week's enhancements to the Payment Card Industry Data Security Standard and the creation of a new company for managing the standard should help alleviate some core issues related to its adoption, analysts said.
The PCI standard is a set of 12 security requirements that all entities handling credit cards were expected to have in place by June 2005. The standards call for, among other things, the encryption of cardholder data, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. The requirements are being promoted by all of the major payment brands, including American Express Co., Visa International Inc., MasterCard Worldwide, Discover Financial Services and Japan Credit Bureau.
Last week, the companies released Version 1.1 of the standard, featuring some expected changes (download PDF). They also announced the creation of the PCI Security Standards Council LLC, a Wakefield, Mass.-based company that will be responsible for developing and maintaining the standards.
Both moves have been expected for some time now, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. Even so, the announcements should help drive broad adoption of the standard, he said.
One of the most significant changes in the new version is the allowance for companies to put in compensating controls in cases where they are unable to implement a prescribed requirement because of technical or cost reasons. For instance, firms that find it difficult to encrypt stored cardholder data will no longer be absolutely obligated to put that specific control in place -- as long as they can verifiably demonstrate other equally good measures for mitigating risk to the data, said Seana Pitt, chairwoman of the new company.
As long as companies can demonstrate to a PCI auditor that they are meeting "the end goal of protecting the data" via compensating controls, they will be considered in compliance with PCI requirements she said.
The flexibility is especially crucial when it comes to the encryption requirement, because many large companies have been struggling with that issue, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. "What this means is that companies can relax a bit about encryption, though it is not asking them to quit" entirely, she said.
"I think most of the problems implementing the previous version of the standard was around this issue of database-field-level encryption," said Amichai Shulman, chief technology officer at Imperva Inc., a Foster City, Calif.-based security vendor. "I think this makes it more practical to implement the requirements of this standard."
The release of Version 1.1 of the PCI standard is also likely to clear up confusion that may have existed regarding the acceptability of compensating controls, Litan said. "They have never recognized [the use of compensating controls] in writing. Everyone knew you could have compensating controls when you worked with a PCI assessor, but it was never acknowledged officially."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts