Changes to PCI standard not expected to up ante on protecting payment card data
PCI council previews modifications coming in Version 1.2 of card security standard
August 20, 2008 12:00 PM ETComputerworld - The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.
As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.
The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express, to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.
Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council, which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.
Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.
For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.
Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.
PCI
Additional Resources



White Papers & Webcasts
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Learn how you can meet the detailed technical requirements of HIPAA and delivers continuous compliance.
Data in Action: Making the Planet Smarter
Register Now
Getting in Compliance with Government Data Regulations
Learn about various regulations and how to comply with them when you read this white paper from VeriSign.
Maximizing Site Visitor Trust Using Extended Validation SSL
Provide site visitors visual cues that indicate your site is legitimate with Extended Validation (EV) SSL available from VeriSign.
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Authentication as a Service by Forrester Research
Learn more about Authentication-as-a-Service today!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
Take Control of Your Infrastructure
Access this white paper, compliments of Tripwire, for a limited time only!
Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

