Changes to PCI standard not expected to up ante on protecting payment card data
PCI council previews modifications coming in Version 1.2 of card security standard
Computerworld - The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.
As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.
The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express, to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.
Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council, which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.
Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.
For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.
Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Knowledge Center White Papers | Webcasts