New PCI Standards FinalizedQuestions Still Remain About EMV, Tokenization
The final version of PCI version 2.0 has just been released this week. It goes into effect on Jan. 1 but impacted entities have until Dec. 31, 2011, to become fully compliant.
"The biggest thing we've learned from this round of changes is that the PCI standards are maturing, and maturing gracefully," says Bob Russo, general manager of the PCI Security Standards Council, which oversaw the latest round of revisions, and while there are not many changes to the standard this time around, "it is clear to the council that different technologies that offer additional layers of security will be very important moving forward," Russo says.
There are 12 proposed changes in versions 2.0 of the PCI-DSS, as well as the PCI Payment Application Data Security Standard. The changes fall into three main categories:
- Clarification: Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements;
- Additional Guidance: Provides further information on a particular topic to increase understanding of the intent of the requirement;
- Evolving Requirement: Ensures the standards are up-to-date with emerging threats and changes in the marketplace.
Key updates include:
- Reinforcement of the need for a thorough scoping exercise prior to the PCI-DSS assessment, in order to understand where cardholder data resides;
- Support for centralized logging included in the PCI PA-DSS to promote more effective log management;
- Validation, within certain requirements, of a risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities; and
- Greater alignment between PCI-DSS and PA-DSS requirements to facilitate stronger security practices.
Those amendments were first introduced in August and then discussed at length during the North American PCI Community Meeting in September.
Emerging technology standards, including ones on tokenization and encryption will be addressed in the future, Russo says. The council issued its first guidance on EMV and encryption during in October.
"When we first started looking at the emerging technologies, we looked at strengthening the existing standards by adding additional layers of technology, including EMV, point-to-point encryption and tokenization," Russo says. EMV is the chip standard that has been widely adopted throughout Europe as well as other parts of the world, including Canada and Mexico. EMV aims to replace magnetic-stripe technology, which continues to linger in the U.S.
The PCI Council reached out to industry security experts on these emerging technologies. "There was great interest in these emerging technologies, and some very large special interest groups have been working on the guidance," he says. In fact, the council's whitepaper on EMV was reviewed by EMVCo, the body that created the standard. "It is a start, and the groups will be making some recommendations going into 2011 on the EMV and encryption technologies, along with tokenization," Russo says. No standards exist for point-to-point, or P2P, encryption and tokenization. "We will have to study how they cut the cardholder data environment, and, therefore, possibly cut the scope," he says.
Training, Merchant EducationAn additional program the PCI Council announced is the PCI Internal Security Assessor Program. The program offers training to help corporations internally assess their security programs.
The PCI Council also is opening a micro website for retailers who need more information and education about PCI requirements and compliance. This website's unveiling comes at the right time, as security experts recently noticed a PCI compliance gap between larger retailers and smaller merchants. Criminals are beginning to move "down the food chain to target Level 3 and Level 4 retailers with cyber and physical attacks," Russo says.