The group that administers the Payment Card Industry Data Security Standard -- or PCI, for short -- this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.
As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.
The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express , to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.
Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council , which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.
Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.
For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.
Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.
On the other hand, the new version will require companies to stop using the Wired Equivalent Privacy (WEP) protocol to secure wireless communications involving cardholder data. New implementations of WEP won't be allowed after next March, while current wireless implementations based on the protocol must be discontinued by June 30, 2010.
In addition, companies that maintain offsite data storage facilities will be required to visit them at least once annually under PCI 1.2.
The new version is a "definite improvement" on the existing PCI standard, said Avivah Litan, an analyst at Gartner Inc. But, she added, the PCI council appears to have missed a chance to introduce some other long-needed changes.
According to Litan, one of the biggest issues with the PCI standard is that it makes very little distinction between networks belonging to large companies that process large volumes of card transactions and those belonging to businesses with much smaller transaction volumes. In large, complex network environments, it's often hard to say what exactly is covered by PCI and what isn't, she said. The standard, Litan claimed, allows for too much interpretation and leaves it entirely to PCI assessors to determine the scope of what needs to be protected.
Moreover, the standard is targeted primarily at e-commerce systems and isn't always clear on how the requirements should be applied in highly distributed brick-and-mortar environments, Litan said. For instance, many retailers continue to connect servers at each of their stores to systems in other locations ? but thus far, at least, the PCI standard has provided little guidance on that risky practice.
Litan said there also is considerable ambiguity surrounding the requirements for third-party service providers, such as call centers that might be processing cardholder data on behalf of retailers. "What are your obligations," she asked, "if you are taking in card numbers and phone numbers and entering them into systems that are not yours?"
Another key missing element is guidance on how end-to-end encryption of cardholder data would affect a company's compliance obligations, Litan said.
To Litan, the new version of the standard would have been an ideal opportunity for the PCI council to have incorporated language clarifying such issues. "The questions that come up every day are not addressed at all by this upgrade," she said. "This is just really more of tinkering around the edges."
A spokesman for the PCI council wasn't immediately available to comment on Litan's assertions.