As the PCI Security Standards Council prepares to release version 2.0 of the payment security guidelines on October 28, many are reviewing the Council’s summary of changes to prepare for the new guidelines. While the PCI DSS draft doesn’t outline any major changes to the requirements, mostly clarification and guidance, the biggest impact of the new changes will give merchants more flexibility in becoming PCI complaint. These new additions are a direct result of business owners and operators voicing concerns that previous versions eliminated alternative means of meeting requirements, and thus made it more difficult. What does this mean for merchants?
This means that while merchants may not have to make huge leaps in their modifications, businesses still need to be aware of the ways to meet requirements. The following table provides the proposed changes.
Reason for Change
PCI DSS Intro
Clarify Applicability of PCI DSS and cardholder data.
Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.
Align language with PTS Secure Reading and Exchange of Data (SRED) module.
Scope of Assessment
Ensure all locations of cardholder data are included in scope of PCI DSS assessments
Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment.
PCI DSS Intro and various requirements
Provide guidance on virtualization.
Expanded definition of system components to include virtual components.
Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization.
PCI DSS Requirement 1
Further clarification of the DMZ.
Provide clarification on secure boundaries between internet and card holder data environment.
Clarify applicability of PCI DSS to Issuers or Issuer Processors.
Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data.
Clarify key management processes.
Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge.
Apply a risk based approach for addressing vulnerabilities.
Update requirement to allow vulnerabilities to be ranked and prioritized according to risk.
Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP.
Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications.
Include examples of additional secure coding standards, such as CWE and CERT.
Clarify remote copy, move, and storage of CHD.
Update requirement to allow business justification for copy, move, and storage of CHD during remote access.
Along with all of the edits to version 2.0, the Council has also decided to extend the PCI Security Standards lifecycle. The lifecycle, which is the time needed to develop a new version of the PCI DSS, has been changed to three years from the previous two-year cycle. The longer lifecycle will provide extra opportunities for more feedback, a more-friendly start date and longer lifespan for existing versions.
As version 1.2 ends and version 2.0 goes into in effect on Tuesday, January 11 2011, we will see what affect it will have on businesses, merchants, QSAs and PCI compliance and security overall. Look for my blog in November for a final overview of version 2.0.
Does PCI education really still matter? It’s a question that many middle managers and even some internal IT professionals are asking. After all, PCI compliance has become a pretty hot subject, and if you’re already in the tech world, you might wonder whether or not you even need to bother really learning much about PCI education.
The reality is that most people still don’t know the ins and outs of PCI compliance, and everyone in an organization has to work together to preserve security. For non-technical employees, this could simply be a matter of protecting their logon credentials and using strong encryption whenever possible. Any link in the chain that’s weak will cause the entire organization to be vulnerable to exploitation, and that’s never a good thing.
PCI education bridges the gap between ignorance of security policies and enlightenment through better security methods without making anyone feel like they’re part of the problem. When you’re trying to get your team on the same page, the last thing you want to do is assign blame. This will only make people feel attacked and less likely to embrace the training.
Even though most companies think first of physical security, the reality is that data security is just as important. Indeed, you will need to make sure that your company’s computer network is as solid as possible, especially if it’s also connected to the Internet. Although the Internet is a powerful resource that everyone can benefit from, the reality is that you will still need to really raise your company’s defenses against unauthorized users and other Internet-related security issues.
However, the reality is that a lot of companies don’t put everything they can into security they way they should. It’s not because they don’t want to — the reality is that not every company has the internal resources required to truly defend themselves against the massive amount of online threats.
However, the truth is that you don’t have to fight the good fight all on your own. You can get solid Internet security services that are automated, leaving you free to focus on other components of your business.
Where can you pick up a great set of Internet security services? Well, many companies that offer compliance-related consulting and data security assistance can help you shape the perfect security package — why not contact a company today and hit the ground running?
The financial consequences following a data breach can be truly astronomical for business owners. Card replacements costs, stiff penalties and lost of customers confidence can dramatically cut into a business’s profits.
As one of the biggest areas overlooked by business owners, not becoming PCI compliant can be damaging to the welfare of organizations. It is easy to see how the average cost of a data breach can quickly rise to over a million dollars when the cost of replacing a single compromised card amounts to more than $200, according to the Ponemon Institute. Then, businesses can also receive stiff penalties from not only credit card companies but even government institutions. The Federal Trade Commission is currently pushing legislation to mandate that companies take the correct steps to protect consumers and in certain cases, bringing cases against those who don’t. Lastly, if customers don’t feel that you can safely protect their sensitive financial information; they will take their business to your competitors instead.
It is clear that increasing your security and becoming PCI compliant is as good as protecting your profits. SecureConnect is the most comprehensive solution to the overwhelming aspects of PCI compliance and network security. Our cost-effective packages are easy and flexible to integrate with your business. To protect your profits, contact SecureConnect today!
A new study conducted by Verizon Business has found there is a significant link between PCI compliance and a decrease in data breaches. The study, called the “Verizon 2010 Payment Card Industry Compliance Report”, found that PCI compliant businesses are less likely than those who aren’t to experience data breaches. In addition, 50 percent of all breached businesses were not compliant at the time of the incident.
Becoming PCI compliant and securing your network environment is the best defense against a data breaches. To make sure that your business is properly protected, it is best to choose a multi-layered system, like SecureConnect, that is able to adapt to your business while adhering to the newest regulations of the PCI DSS.
Within the study, companies struggled to meet three requirements that are also the most vulnerable to security breaches. The three requirements are
1. Requirement 3: Protecting stored data
2. Requirement 10: track and monitor access points
3. Requirement 11: regularly test systems and processes