Governance & Risk Management , Risk Assessments
PCI Details Expected in October
Version 2.0 on Target to be Enacted Jan. 1Merchants, financial institutions and any other provider in the payments chain can expect to take more responsibility for complying with Payment Card Industry Data Security Standards.
This is the overarching theme in the wake of the PCI Security Standards Council's annual North American Community Meeting in Orlando, Fla.
Simply put, internal corporate responsibility for PCI compliance is up to the industry, not the council. While the council has announced initiatives such as its new PCI Internal Security Assessor Program, designed to help payments providers better prepare for PCI reviews, the board also is quick to point out that is only a recommendations body - not an enforcer.
Expected guidance regarding emerging technologies, encryption and globalization are the top three recommendations emerging from the event.
What did not come out of the U.S. meeting are significant changes to current PCI standards, including the PCI Data Security Standard and the Payment Application Data Security Standard. That lack of changes is a testament to the maturity of the standards, PCI Council members say. "We're going into our third generation on a lot of the standards, and we're trying to do a better job to make sure each (standard) has its own specs," says Jeremy King, European head of the PCI Council, during his opening speech.
Timeline
In August, the council released its summary of expected changes to the standard.Next, on Oct. 28, the council is expected to release its final PCI-DSS and PA-DSS version 2.0 clarifications and recommendations, which then will take effect Jan. 1.
Companies that are not currently meeting PCI standards will be given time to catch up on compliance. The "sunrise" compliance date for versions 2.0 is January 2012; and the old standards won't be retired until December 2011, King says. "So you have a whole year to get yourselves ready."
In May, the council also released version 3.0 of its PIN Transaction security requirements; and last week, some new guidance regarding EMV chip and PIN and point-to-point encryption was issued, shedding light on how PCI-DSS fits into the emerging technology fold.
But most of the two-day community session was spent just giving merchants and financial-services companies background about existing standards.
The Council's Role
Most attendees say they are satisfied with the council's decision to keep the standards more or less the same. How effective the PCI Council will be in the future, as the PCI community and the council itself continue to grow, remains a bit unclear. The council, now only six years old, is still evolving. The meeting in Orlando, many attendees say, was a first step toward defining the council and its role.Joshua Corman, research director for The 451 Group, an information-technology analyst firm, says he doesn't see the PCI Council or its standards having a long-term impact. "I've been one of the most vocal critics of the PCI standard," he says. "Is the standard keeping pace with relative technology changes, with relative attacker changes? Is it working?"
Ultimately, the answer is "no," Corman says. "Look at virtualization and cloud computing; there is currently no guidance available," Corman says. "It's frustrating because companies are deploying this technology, but they have no guidance to direct them."
Other PCI attendees were a bit more positive. Catherine Pagliaro, a PCI-certified qualified security assessor, says PCI is having an effect on reducing fraud. "The companies I'm working with are definitely making improvements," she says. "We as an industry have a lot of work to do, but I'm optimistic. I think we're going to win this fight (against fraud), and I think the PCI standards are making a difference."
Connie Penn, managing director of England-based Kilrush Consultancy Ltd., says PCI standards have dramatically improved over the last several years, and the maturity of the PCI-DSS, in particular, is obvious. The standards are solid, she says. But ongoing clarification and guidance will be necessities for future compliance. "What we will always need are clarifications, because as the threat factors change in the marketplace. As point-of-sale systems change, we will always need new approaches to the implementation of PCI," she says. "But PCI is exactly where it should be."
Michael Petitti, chief marketing officer of Trustwave, a Chicago-based computer forensic firm, says the council has done a decent job of keeping its security standards current, especially given the diversity of the stakeholders involved. "I think additional direction regarding some of the emerging payment acceptance and security technologies, such as chip and PIN, end-to-end encryption, and their impact on PC- DSS compliance, would be the next step," he says.
Next Steps?
Troy Leach, the PCI Council's chief standards architect, says the council is working to respond to questions about emerging technology, especially as it relates to encryption."What are the domains that we need to determine are secure? And what does that roadmap look like going forward? These are things we are addressing," he says.
End-to-end or point-to-point encryption, Leach says, could simplify compliance with the PCI-DSS. To that end, the council has identified six domains for encryption - encryption of the device; application security; the merchant encryption environment; the decryption environment; operations; and enhanced key management practices.
"We plan to educate our stakeholders, but it's going to require the involvement of special interest groups," Leach says. "I think if we form the right partnerships, we form the right teams, we can make valuable changes in this area."