The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), published documentation highlighting the expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS in October 2010. In an effort to provide greater clarity and ongoing transparency, this summary will help all organizations involved in payment card security prepare to align their PCI security programs with the updated standards.
Participating Organizations will have the opportunity to discuss these changes at the PCI SSC Annual Community Meetings in Orlando and Barcelona, prior to the publication of the final standards on October 28.
As part of the planned standards lifecycle process the proposed changes were developed with input and ongoing industry feedback received from merchants, banks, processors and vendors in the PCI community. This was gathered both through the Council's formal feedback period and additional channels such as industry events, the PCI SSC's Open Mic series and online FAQ. Hundreds of pieces of feedback were received during this process, with more than half originating from outside the United States. As a result of this input, revisions categorized as clarifications, additional guidance and evolving requirements improve the flexibility of organizations to implement controls, better manage evolving threats and address scoping and reporting elements. Changes also increase alignment between the PCI DSS and PA-DSS, making it easier to achieve compliance with both standards.
Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include:
- Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
- Support for centralized logging included in PA-DSS to promote more effective log management
- Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities
- Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices
"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," says Bob Russo, general manager, PCI Security Standards Council. "With the changes to the PCI DSS and PA-DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."
The document will help stakeholders begin to prepare for discussion of the new versions of the PCI DSS and PA-DSS at the forthcoming Community Meetings in the US and Europe. A more detailed summary of changes and pre-release versions of the revised standards will also be provided to Participating Organizations in early September.
Click here for a summary of the changes
The PCI SSC also invites Participating Organizations and the public to a webinar that covers the summary of changes in greater depth, to be held on August 24th at 3:00 p.m. ET / noon PT, and August 26th at 11:00 a.m. ET / 8:00 a.m. PT. Registration details can be found here: