Changes to PCI Data Security Standard leave questions unanswered
PCI DSS 2.0 mostly about minor tweaks, analysts say
Computerworld - A new version of the PCI Data Security Standard scheduled for release later this year is likely to attract more attention for what it leaves unaddressed rather than what it changes, analysts say.
That assessment is based on a preview of proposed changes to the standard that was released today by the PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI DSS).
The preview suggests that most of the changes in PCI DSS 2.0, which is scheduled for release in October, are going to be incremental in nature and unlikely to cause major headaches for companies covered by PCI.
Much of the emphasis in the new version appears to be on fleshing out and clarifying existing guidelines rather than on introducing new ones.
But the new standard appears to leave largely untouched several issues where companies are looking for more guidance from the PCI council, analysts said.
"The standard's revisions seem like a positive step and don't seem to impose a lot of extra work and unreasonable requirements on complying organizations," said Avivah Litan, an analyst at Gartner.
"But what is glaringly lacking is progress on the hard and most important issues, including the implications of adopting alternative technologies" on PCI compliance requirements, she said.
According to Litan, many Gartner clients are trying to understand whether their adoption of new technologies such as chip cards, tokenization and end-to-end encryption will limit the scope of their compliance requirements, Litan said.
But most of the clarifications around such issues have been left for special interest groups to figure out, she said. "These SIGs are not being held to any particular deadlines, and it's still unclear how their reports will fold into PCI requirements," she said.
The PCI Security Standards Council's guidance around virtualization technologies is another area that is going to be closely watched, said James Paul, senior vice president of delivery at Trustwave, which provides PCI assessment services for many of the largest retailers in the country.
"Overall, there are no big surprises here. There is certainly nothing in the proposed list that our clients will have a lot of heartburn addressing," Paul said.
Today's preview indicates that the new standard will offer new guidance on how the use of virtualization technologies will impact PCI compliance requirements, he said. But a lot will depend on the amount of detail that is provided in the new version of the standard, he added.
"I'm encouraged that they are giving some additional guidance around virtualization," Paul said. "But we just can't get enough concrete details fast enough."
Many Trustwave customers want to know today if their use of virtualization technologies will increase the scope of their PCI requirements, he noted. "It's an emerging technology. There are a lot of questions around it," Paul said. "There are a lot of people somewhat hesitant to dive into it until they see some guidance."


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Database Activity Monitoring Is Evolving
- Read the analyst report and learn how you can leverage the core capabilities of a DAP solution for better database security.
- Practice Management: Double Billing Rate and Improve Patient Services
- Would you like to double your billing rate and achieve faster payment for services?
Download this customer success story to see how One Health... - Mission Critical Data Explosion and Customer Case Study
- Would you like to double your tier 1 storage capacity while simultaneously reducing your storage footprint?
Download this customer success story to see how... - Protecting Against Database Attacks and Insider Threats: Top 5 Scenarios
- Read this new eBook to learn the top five scenarios and essential best practices for preventing database attacks and insider threats.
- Establishing a Strategy for Database Security is No Longer Optional
- The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three... All Security Hardware and Software White Papers
- Close a Dangerous Vulnerability: Automated Methods for Managing Admin Rights
- In this exclusive webcast from Viewfinity, you'll hear how to leverage Group Policy Object settings to close this vulnerability by elevating privileges for...
- Case Study: Kimberly-Clark Implements Workday for Global Human Resources
- See how Kimberly-Clark evaluated and deployed SaaS when it upgraded its human capital management system, gaining software security and peace of mind across...
- Distributed Database Security with Real-time Monitoring
- View this demo and learn how IBM InfoSphere Guardium database activity monitoring can help protect your sensitive data in distributed DBMS environments with...
- InfoSphere Warehouse Packs Demo
- These flash modules make warehousing more tangible and relevant to business users through detailed explanations of the InfoSphere Warehouse Packs.
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,...
All Security Hardware and Software Webcasts