PCI SSC Prepares Industry for Standards Changes

Council announces next step in transparent standards development and release process with a summary of changes for PCI DSS and PA-DSS.

August 13, 2010

WAKEFIELD, MA - The PCI Security Standards Council (PCI SSC) has published documentation highlighting the expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS in October 2010.

In an effort to provide greater clarity and ongoing transparency, the summary is intended to help all organizations involved in payment card security prepare to align their PCI security programs with the updated standards.

Participating Organizations will have the opportunity to discuss these changes at the PCI SSC Annual Community Meetings in Orlando and Barcelona, prior to the publication of the final standards on October 28.

As part of the planned standards lifecycle process the proposed changes were developed with input and ongoing industry feedback received from merchants, banks, processors and vendors in the PCI community. As a result of this input, revisions categorized as clarifications, additional guidance and evolving requirements improve the flexibility of organizations to implement controls, better manage evolving threats and address scoping and reporting elements. Changes also increase alignment between the PCI DSS and PA-DSS, making it easier to achieve compliance with both standards.

Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include:

Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
Support for centralized logging included in PA-DSS to promote more effective log management
Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities
Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices

The document will help stakeholders begin to prepare for discussion of the new versions of the PCI DSS and PA-DSS at the forthcoming Community Meetings in the US and Europe. A more detailed summary of changes and pre-release versions of the revised standards will also be provided to Participating Organizations in early September.

The PCI SSC also invites participating organizations and the public to a webinar that covers the summary of changes in greater depth, to be held on August 24 at 3:00 p.m. EST and August 26 at 11:00 a.m. EST. Registration details can be found here.