The PCI Security Standards Council (SSC) released a summary of changes for the PCI DSS and PA-DSS standards. The updated standards will be version 2.0 respectively. Continuous improvements will be made during the new 3 year lifecycle.

The PCI DSS changes turned out to be fairly un-remarkable as predicted. The PCI Co. press release makes the following statement.

“Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include:

• Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
• Support for centralized logging included in PA-DSS to promote more effective log management
• Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities
• Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices”

Stay tuned for a follow-up on the industry reaction, interpretation and guidance provided during the upcoming community meeting scheduled for late September.

The full summary of changes are contained within a PDF available for download at https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf

To revisit my past blog series on PCI Compliance, check out the following links:

http://blog.solutionary.com/blog/bid/33470/Compensating-Controls-PCI-Compliance 

http://blog.solutionary.com/blog/bid/32828/PCI-Compliance-Series-Strategies-that-Work-Tokenization

http://blog.solutionary.com/blog/bid/32688/PCI-Compliance-Series-Strategies-that-Work-Part-3ry.com/blog/bid/32688/PCI-Compliance-Series-Strategies-that-Work-Part-3

At Solutionary, we pride ourselves on customer service and support. In this business, that means we put ourselves on the line for our clients when things go bad. Incident response and coordination isn’t a cornerstone of our business, but it is something we do very well for our clients in a time of need. Unless your organization has an incident response program that is regularly exercised, it can be a little overwhelming when an incident is identified that indicates a breach has occurred.

When we get these types of calls, it isn’t because an employee has accessed inappropriate materials. It is because an IT administrator has been arrested for fraud or the company is undergoing a potentially brand damaging attack or data loss. Incidents that attack the brand can be as simple as web site defacement or as complex as getting targeted by an organized crime group, but in either case, it helps to have a friendly firm on your side to provide guidance when the breach is over.

One of the most significant challenges we face in supporting our clients is helping them to determine whether or not an incident constitutes a breach. To help make this determination, we coordinate resources to analyze the intelligence available. While in some cases a forensic image of a system may help, most of the evidence we need is contained in the log data produced by the systems that support the environment where the incident occurred. However, in many cases the log data is unavailable due to a failure to configure or retain the information properly.

We are not asking for a vetted set of log data that has been correlated and normalized by a SIEM (although that would be nice). We just want the raw log data. Without this information, it is almost impossible to determine with certainty that an incident resulted in a breach that warrants notification due to PCI, HIPPA/HITECH, or other compliance or legal requirements.

I encourage you all to review your log retention standards and capabilities to determine whether or not you maintain a minimum of 1 year of log data. Solutionary retains 100% of the raw logs we capture for our clients so they have forensically sound log data in their time of need.

As we approach the end of the PCI Security Standards Council (SSC) “Lifecycle Process for Changes to the PCI DSS” and associated community meetings, many of my clients and colleagues are asking the same question: “What is going to change?”

In the case of my colleagues, the discussion is more sporting than anything else. However, in the case of my clients, the speculation regarding changes to the PCI DSS is causing some budgetary anxiety. This nervousness is mainly due to the fact that many organizations begin their fiscal year planning well in advance of the anticipated fourth quarter release. So the question remains: “what is going to change?”

Unfortunately, I do not have the answer to that question. Nontheless, I do think we can draw some inferences from the various comments that have been made regarding the coming changes, or lack there of as the case may be. Bob Russo, General Manager of the PCI SSC, is on record saying there would be no surprises in the 2010 update. Furthermore, the PCI SSC announced a new 3 year refresh cycle, which will lengthen the process for future changes. Based on these two pieces of key information and the emphasis on guidance documents, I believe that the card brands and the PCI SSC are giving the industry a chance to create solutions that will further mitigate the risk to card data.

Visa has been largely responsible for pushing the adoption of the PCI DSS into the payment industry. Maybe it is time for the payment industry to tackle the challenge of implementing the risk reduction solutions that are available. The payment industry should utilize the PCI DSS as a minimum standard of care and build control frameworks that exceed the requirements, or make them irrelevant. For example, Chip and Pin, End-to-End Encryption, Tokenization, and Virtualization all have the potential to exceed the requirements and reduce the risk to card data beyond that which is required by the Data Security Standard.

The PCI SSC has been gradually providing more and more rigorous guidance through both training and Implementation Supplements. Moving forward, the SSC will focus on continuing to tighten the screws through additional Information Supplements and training. This will reduce the overall risk to card data without the backlash that significant changes to the DSS would create.

Hope everyone is having a good compliance season. I'm looking forward to catching up at the Community meeting in Orlando.