PCI standard changes ahead

The PCI Security Standards Council (PCI SSC) published documentation highlighting the expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS in October 2010.

Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include:

• Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
• Support for centralized logging included in PA-DSS to promote more effective log management
• Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities
• Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices.

“The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data,” said Bob Russo, general manager, PCI Security Standards Council. “With the changes to the PCI DSS and PA-DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data.”