The Payment Card Industry (PCI) Security Standards Council released version 2.0 of the Data Security Standards (DSS) on October 28, 2010. According to the Council, version 2.0 does not introduce any major new requirements, but it does offer a hefty dose of needed clarification. The 2.0 era also ushers in a new timeline for the revision process, extending it from a 24-month cycle (version 1.0 was released in 2004, version 1.1 in September 2006 and version 1.2 in October 2008) to a three-year cycle. The longer timeline is intended to provide extra opportunities for stakeholders to identify and submit feedback, and creates a more merchant-friendly start date to implement. A gradual, phased introduction of new versions of the standard, along with longer sunset periods for existing standards, will help prevent organizations from becoming noncompliant when changes are published.
Version 2.0: What’s New
According to the PCI Council, the majority of changes are modifications to the language which clarify the meaning of the requirements and make understanding and adoption easier for merchants. “These revisions,” states the Council, “serve to reinforce the need for a thorough scoping exercise prior to assessment in order to understand where cardholder data resides; promote more effective log management in securing cardholder data; allow organizations to adopt a risk-based approach when assessing and prioritizing vulnerabilities that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts.”
The new version has a comprehensive glossary; several terms used in earlier versions were undefined in the glossary and left room for misunderstanding. This new version also leads to the alignment of PCI DSS and Payment Application DSS, replacing the dissimilar terminology previously used in the two documents with unified terms. Version 2.0 provides more details on “cardholder data” and “sensitive authentication data.”
Another major change in version 2.0 is how specifically the PCI DSS requirements will address server virtualization. Previous versions of the standard specified that payment card information must be kept separate from general corporate data, but did not clearly define what “separate” meant.
However, even version 2.0 does not provide specific direction regarding the tools that should be used to separate PCI scope data (any system that stores, transmits or process cardholder data) from the rest of the network. Until detailed guidance on server virtualization is made an official part of the standard, it remains up to the auditor, and we know auditors’ perspectives toward virtualization and how it works vary widely.
Version 2.0 prohibits the use of Wired Equivalent Privacy (WEP) which is a deprecated security algorithm for IEEE 802.11 wireless networks. Instead, they implemented this standard: “Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission” (4.1.1.). The PCI Council left the door open for new wireless security standards because at one point WEP was considered the “standard” for wireless transmissions of data.
In addition to identifying vulnerabilities, version 2.0 requires that those vulnerabilities are ranked according to risk. Identifying and ranking vulnerabilities can be done through interviews with responsible personnel to verify that processes are implemented to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities. Version 2.0 requires quarterly testing for both present wireless access points and for detecting unauthorized wireless access points.
PCI compliance in hospitality: an ongoing challenge
The hospitality industry still accounts for the most instances of credit card data breaches by a significant margin. Although it’s been more than 6 years since the inception of PCI DSS, there remain many hospitality operators who do not understand its importance. Of the hotels included in Hospitality Technology’s “2011 Lodging Technology Study,” 82% have installed firewall configurations, 79% have assigned a unique ID to each person with computer access, 73% restrict physical access to cardholder data, 73% maintain information security policies for employees and contractors, and 65% test security systems and processes on a regular basis. Even though this data shows that the majority of lodging properties are progressing towards compliance, there is still more work to be done for full, ongoing compliance. For these standards, “almost complaint” is not compliant. It remains extremely important for hospitality organizations to continuously review PCI compliance at their organization.