Skip the navigation
News

Changes to PCI standard not expected to up ante on protecting payment card data

PCI council previews modifications coming in Version 1.2 of card security standard

By Jaikumar Vijayan
August 20, 2008 12:00 PM ET

Computerworld - The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.

As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.

The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express, to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.

Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council, which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.

Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.

For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.

Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

DRM and Legal Issues White Papers
Overcome Top 7 Admin Challenges of Active Directory
As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
Insiders Can Ruin Your Company. Take Action.
Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
Top Solutions and Tools to Prevent Devastating Malware
Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
Streamline Compliance and Increase ROI
Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will...
X-Ray of the PCI Process-4 Proactive Steps
This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
All DRM and Legal Issues White Papers
DRM and Legal Issues Webcasts
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
Virtualize Business-Critical Applications with Confidence
Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®...
All DRM and Legal Issues Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs