Changes to PCI rules a step in the right direction, analysts say

Computerworld - Last week's enhancements to the Payment Card Industry Data Security Standard and the creation of a new company for managing the standard should help alleviate some core issues related to its adoption, analysts said.

The PCI standard is a set of 12 security requirements that all entities handling credit cards were expected to have in place by June 2005. The standards call for, among other things, the encryption of cardholder data, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. The requirements are being promoted by all of the major payment brands, including American Express Co., Visa International Inc., MasterCard Worldwide, Discover Financial Services and Japan Credit Bureau.

Last week, the companies released Version 1.1 of the standard, featuring some expected changes (download PDF). They also announced the creation of the PCI Security Standards Council LLC, a Wakefield, Mass.-based company that will be responsible for developing and maintaining the standards.

Both moves have been expected for some time now, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. Even so, the announcements should help drive broad adoption of the standard, he said.

One of the most significant changes in the new version is the allowance for companies to put in compensating controls in cases where they are unable to implement a prescribed requirement because of technical or cost reasons. For instance, firms that find it difficult to encrypt stored cardholder data will no longer be absolutely obligated to put that specific control in place -- as long as they can verifiably demonstrate other equally good measures for mitigating risk to the data, said Seana Pitt, chairwoman of the new company.

As long as companies can demonstrate to a PCI auditor that they are meeting "the end goal of protecting the data" via compensating controls, they will be considered in compliance with PCI requirements she said.

The flexibility is especially crucial when it comes to the encryption requirement, because many large companies have been struggling with that issue, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. "What this means is that companies can relax a bit about encryption, though it is not asking them to quit" entirely, she said.

"I think most of the problems implementing the previous version of the standard was around this issue of database-field-level encryption," said Amichai Shulman, chief technology officer at Imperva Inc., a Foster City, Calif.-based security vendor. "I think this makes it more practical to implement the requirements of this standard."

The release of Version 1.1 of the PCI standard is also likely to clear up confusion that may have existed regarding the acceptability of compensating controls, Litan said. "They have never recognized [the use of compensating controls] in writing. Everyone knew you could have compensating controls when you worked with a PCI assessor, but it was never acknowledged officially."