Reading the Tea Leaves: Changes to the PCI DSS?

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

For more information about Solutionary, click here.

To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers:

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security  Mike Hrabik, President and CTO             Don Gray, Chief Security Strategist       Court Little, Director of Strategic Security Joseph Blankenship, Director of Marketing 
Doug Picotte, Regional Technical Manager
Rob Kraus, Manager, Security Consulting Services    
Erik Barnett, Regional Technical Manager Jose Hernandez, Security Consultant
Vincent Ragosta, Information Security Engineer                                         Jozef Krakora, Sr Product Manager        

Subscribe to our blog

Your email:

Tags

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Reading the Tea Leaves: Changes to the PCI DSS?

Posted by Scott Simpson on Thu, Jul 15, 2010 @ 09:34 AM
  
  
  
Add to delicious  delicious  
  

As we approach the end of the PCI Security Standards Council (SSC) “Lifecycle Process for Changes to the PCI DSS” and associated community meetings, many of my clients and colleagues are asking the same question: “What is going to change?”

reading tea leaves

In the case of my colleagues, the discussion is more sporting than anything else. However, in the case of my clients, the speculation regarding changes to the PCI DSS is causing some budgetary anxiety. This nervousness is mainly due to the fact that many organizations begin their fiscal year planning well in advance of the anticipated fourth quarter release. So the question remains: “what is going to change?”

Unfortunately, I do not have the answer to that question. Nontheless, I do think we can draw some inferences from the various comments that have been made regarding the coming changes, or lack there of as the case may be. Bob Russo, General Manager of the PCI SSC, is on record saying there would be no surprises in the 2010 update. Furthermore, the PCI SSC announced a new 3 year refresh cycle, which will lengthen the process for future changes. Based on these two pieces of key information and the emphasis on guidance documents, I believe that the card brands and the PCI SSC are giving the industry a chance to create solutions that will further mitigate the risk to card data.

Visa has been largely responsible for pushing the adoption of the PCI DSS into the payment industry. Maybe it is time for the payment industry to tackle the challenge of implementing the risk reduction solutions that are available. The payment industry should utilize the PCI DSS as a minimum standard of care and build control frameworks that exceed the requirements, or make them irrelevant. For example, Chip and Pin, End-to-End Encryption, Tokenization, and Virtualization all have the potential to exceed the requirements and reduce the risk to card data beyond that which is required by the Data Security Standard.

The PCI SSC has been gradually providing more and more rigorous guidance through both training and Implementation Supplements. Moving forward, the SSC will focus on continuing to tighten the screws through additional Information Supplements and training. This will reduce the overall risk to card data without the backlash that significant changes to the DSS would create.

Hope everyone is having a good compliance season. I'm looking forward to catching up at the Community meeting in Orlando.

 

describe the image

Tags: , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics