The Payment Card Industry Security Standards Council (SSC) has released the latest version of its Data Security...
Standards, PCI DSS 2.0, the first big change since July 2009.
From 1 January 2011, merchants will be able to certify compliance against version 2.0 of the standard, which set the data security rules for all organisations processing credit or debit card transactions.
Merchants should review the new requirements because although they will be able to certify against the older version 1.2.1 for most of 2011, they will be forced to switch to version 2.0 after 31 December, said Sumedh Thakar, director of engineering at security management firm Qualys.
But, he said, most changes in the new v2.0 are minor clarifications or additional guidance, making the new standard more explicit about requirements to protect cardholder data, including more detailed procedures to verify that an organisation is compliant.
The main changes, said Thakar relate to assigning risk ranking to vulnerabilities, virtualisation, secure application development practices, WEP as a security control, and two-factor authentication.
The SSC has now settled on a 3 year update cycle to the DSS, which means the next major version of DSS, v3.0 can be expected in October 2013.
"This does show that the standards have matured enough now that major changes are not required regularly," said Thakar.
According to Amichai Shulman, chief technology officer at security firm Imperva, PCI has expanded awareness to data security risks since its inception and has driven major investments in data security technology and processes.
"The evolution of PCI DSS by the PCI Council is aimed as adapting the standard to the evolving threat and technology landscape, while reducing the cost of compliance. PCI DSS 2.0 is an important step in that direction," he said.