New PCI standards completed, tokenization still in question
The PCI Security Standards Council released version 2.0 of the PCI DSS and PA-DSS, designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants.
Version 2.0 becomes effective on January 1, 2011 and does not introduce any new major requirements. The majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants.
Key revisions serve to reinforce the need for a thorough scoping exercise prior to assessment in order to understand where cardholder data resides; promote more effective log management in securing cardholder data; allow organizations to adopt a risk-based approach when assessing and prioritizing vulnerabilities that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts.
The release of version 2.0 begins the new three year lifecycle for standards development, which streamlines the development process by aligning DSS, PA-DSS and PTS on a similar three year schedule. The lifecycle also allows for minor revisions or errata to be issued throughout the cycle as necessary.
Ulf Mattson, CTO of Protegrity, commented: “There is a particularly strong need for the PCI Security Standards Council to provide guidance on how tokenization of cardholder data can reduce the size of the Cardholder Data Environment (CDE) and outline acceptable tokenization architectures for implementations and operations. This is important because the CDE is that part of the network that possesses cardholder data or sensitive authentication data. Like many others, I expect the document to somewhat mirror the tokenization best practices document that Visa released in July, which will be a good framework for the industry to build on.”
“I’m happy the Council is acknowledging the need to address emerging technologies such as tokenization. As these technologies continue to mature and gain traction with merchants, I believe they will eventually find their way into the PCI DSS standards,” Mattsson added.