PCI DSS 2.0 brings clarity and guidance for merchants

With the debut of PCI DSS 2.0, the PCI SSC focuses on guidance for risk-based compliance, and addresses issues such as virtualisation and cloud security. Conspicuously absent, however, is guidance on tokenisation.

Any organisation handling credit card details will breathe a sigh of relief with the release of the new version of the Payment Card Industry Data Security Standard (PCI DSS). The new version, numbered 2.0, introduces few new requirements and offers more clarification and guidance to help merchants with their PCI compliance efforts .

The standard has finally reached maturity, and it allows merchants to plan better.


Neira Jones
Head of Payment SecurityBarclaycard

While some had feared that by moving from the current version 1.2 to 2.0, the PCI Security Standards Council (SSC) would introduce some dramatic new changes; PCI DSS 2.0, instead, does much to tidy up the standard and clarify what is required.

"We are not having to make massive changes to the standard with version 2.0," said Jeremy King, European director of the PCI SSC. "The approach is based on what we have learned in developing the standard. Guidance and clarification have been the main themes this time."

King said the standard now takes account of virtualisation as well and provides some guidance on how security should now be handled in virtual servers and in the cloud.

A clear roadmap
One benefit of the new standard is that it now provides merchants with a much clearer timeline for compliance. The new 2.0 standard will not be enforced until January 2012, giving companies time to plan. Furthermore, those companies still working to be assessed against version 1.2 can continue with their plans. "If you are still on 1.2, you don't have to abandon it," King said. "You have the whole of 2011 to complete that process before the 1.2 version is retired. If you are part-way through the process, fine, get that completed and then move on to version 2.0."

He said that PCI DSS 2.0 builds on 1.2, and so any work done on the current standard will not be wasted.

The introduction of version 2.0 also heralds the start of a new three-year lifecycle for PCI DSS, which links it with its two related standards, PA DSS (which deals with compliant software products) and PCI PTS (which deals with payment terminals). This cycle has been introduced to give more stability to the standard, allowing companies to plan ahead and take more time to implement each new version.

Reaction to the news was generally positive. Neira Jones, head of payment security for Barclaycard, said: "The standard has finally reached maturity, and it allows merchants to plan better." She said she was pleased to see more help for small merchants and also welcomed the greater focus on risk rather than merely ticking the compliance boxes.

But Jonathan Lampe, VP of product management and representative to the PCI council for network monitoring company Ipswitch Inc., said some merchants were unhappy with the move toward risk-based compliance. "Some companies want to be told exactly what to do," he said.

PCI DSS 2.0: A 'risk-based' approach
To that end, the new 2.0 standard's more risk-based approach provides merchants and their Qualified Security Assessors (QSAs) with more discretion in deciding what level of security is appropriate to the circumstances. One example of this is in the area of encryption key management, where the standard has hitherto demanded that keys should be refreshed annually. This has now been relaxed, and allows merchants and their QSAs to make a qualified decision on when to refresh.

"Historically, we have asked for keys stored offsite to be changed every year. That was considered standard best practice, but the problem is that changing keys is quite a lengthy and complicated task," King said. "Most people thought their keys were still strong and didn't need to be updated that often. We have reflected that, and so the advice now is to take a risk-based approach and change the keys when you think they might need it, but not necessarily every year."

He added that the standard is now placing more emphasis on the value of storing system logs, both as a way of averting attacks and of helping to trace the root cause of any breach. "We want companies to use new techniques and technologies for handling logs," he said. "There are software solutions available that help you detect earlier if your systems are under attack. The earlier you can detect the attack, the faster you can shut it off and prevent card data leaking from your systems."

In a further effort to clarify the requirements, King said, the SSC has launched a new PCI DSS website aimed at small companies. Recognising that these companies may lack technical expertise, the message is couched in simple terms and designed to be understood by the non-IT specialist.

"We've tried to make it more understandable to the smaller merchants who won't be working with QSAs and will be doing their own self-assessment questionnaires. We have made it easier for them to fill in the SAQ C form instead of the D form, which simplifies the process greatly. The SAQ D form is very long, and, for most smaller merchants, a lot of the questions don't apply," he said.

Jury still out on tokenisation and encryption
Despite clarifying many points, the standard still leaves two key areas in limbo: tokenisation and point-to-point encryption. Both of these technologies are key elements in enabling merchants to take parts of their systems out of scope of the standard. In other words, if merchants can prove card data has been encrypted or substituted by a token, then it is viewed as secure and out of scope of PCI compliance requirements.

However, as King conceded, arriving at a clear and definitive set of guidelines to cover all circumstances has proved harder than expected. "Tokenisation has been challenging. We've talked to relevant experts and other standard bodies, and whenever you get two experts together on this, you can get three different opinions," he said. "The devil is in the details unfortunately, and we still have a lot of work to do on it."

Guidance papers on both tokenisation and point-to-point encryption are planned, but King would only say that they will be produced "some time during 2011."

Read more on IT risk management