PCI-DSS 2.0 Is Here

With the changes to the PCI-DSS and PA-DSS that take effect Jan. 1, 2011, organizations are advised to conduct a “scoping” exercise to determine where cardholder data is located, institute more effective log management in securing cardholder data, and adopt a risk-based approach when addressing vulnerabilities.

As I have talked about in previous articles the lifecycle of the PCI council’s standards will be extended from the current two years to three years to give merchants more time to implement them. In addition, greater flexibility has been introduced for small merchants to enable them to comply with the standards, including the establishment of a microsite with information specifically targeted to them.

Version 1.2 of PCI-DSS and PA-DSS will be retired on Dec. 31, 2010, giving organizations who have not fully implemented version 1.2 time to complete the process.

2010 PCI SSC Community Meeting in Orlando

I just got back from the PCI SSC Community meetings in Orlando, Florida and not only was it good to see colleagues that i haven’t seen in a while, a lot of the information that was shared with everyone at the meetings was great.

If you have to comply with the Payment Card Industry Data Security Standard (PCI DSS), you should already be aware that the PCI Security Council is issuing version 2 of the standard by the end of this October. Be on the look out here for more information regarding the new version as soon as the PCI SSC releases it to the public.

PCI Data Security Standards Video

This short animated video provides an overview of the PCI Data Security Standard. This standard applies to any entity that stores, process or transmits cardholder data.

PCI Council Announces PCI DSS 2.0

Yesterday the PCI Council in a press release announced the summary of changes coming in the next release of the PCI DSS and PA-DSS. I have read through this document and I’m really not that impressed with it. There are no significant changes to the PCI DSS going into the new three year life-cycle. Now this is really good for merchants.

Maybe we will get some more insight as to why there are no significant changes when we are at the community meetings this year in Orlando Florida.

I look forward to hearing more about the proposed changes on Requirement 6.2 to apply a risk-based approach for addressing vulnerabilities.

Let me know what your thoughts are on the summary of changes to the DSS Standards.

Check out the Summary of Changes for PCI 2.0

YXUUUP52QRYQ

Tokenization Guidance

Tokenization has been a hot topic issue for PCI compliance; it relieves merchants of the need to keep credit card numbers on file and to secure them. The tokenization technology substitutes a token (a dummy value) linked to the card number for transactions. A merchant can outsource this type of payment processing to a service provider, or develop the capability in-house. Tokenization is one of the options along with encryption, available to fulfill PCI Requirement 3.4 to render card data unreadable.

If you are considering tokenization then I would highly recommend reading the following Tokenization series from Securosis.

Visa issues tokenization guidance, clarifies rules around storage of card numbers

Visa on Wednesday released a four-page document that offers best practices for tokenization, the process by which 16-digit credit card numbers are replaced with unique symbols. The guidance is meant to reduce risk for merchants, vendors, service providers and acquiring banks.

Check out the article – [SC Magazine]

PCI Compliance Is Good; Data Security Is Better

If you are like many CIOs, a lot of your security budget is driven by compliance requirements, including PCI DSS. Although many merchants feel they are secure once they achieve PCI compliance, that is not necessarily true.

Read the rest of Walt Conway’s article – [StoreFrontBacktalk]

The Security Pub

Random Thoughts About Security

Category Archives: PCI