The long anticipated release of PCI DSS 2.0 and PA DSS 2.0 is nearing completion and the PCI Security Standards Council finally issued a sneak preview into the coming changes. We’ll be issuing a Gartner First Take on this shortly.
Nothing earth shattering and most of the ‘hard work’ that many Gartner clients are waiting for is still not done, and is being left to the Special Interest Groups to figure out. Those projects include understanding the linkage between PCI compliance requirements and implementations of Chip cards (as opposed to magnetic stripe), tokenization, or point-to-point (a/k/a ‘end to-end’) encryption, and how these implementations can potentially limit the scope and requirements of PCI audits.
These SIGS are not being held to any particular deadlines and it’s still unclear how their reports will fold into PCI requirements but word has it that they are aiming to finish their work by the end of 2010 and that their reports will result in further guidance rather than clear cut requirements, a somewhat justifiable position since there are still no industry standards for tokenization or point-to-point encryption.
In the meantime, the standard’s revisions, as summarized on August 12, seem like a positive step and don’t seem to impose a lot of extra work and unreasonable requirements on complying organizations, but since the devil is in the still-unpublished details, it’s too early to know how positive a step they really are.
We look forward, in particular, to reading promised:
a) Clarification on how to secure cardholder data environments from the Internet, or further clarification of the DMZ
b) Upcoming guidance on virtualization
c) Requirements that enable a risk based approach to PCI compliance activities.
Interestingly, the summary of changes includes clarification that the card issuers or issuer processors are allowed to store sensitive authentication data because of their legitimate business needs. What‘s glaringly absent however, is any enforcement or deadlines for PCI compliance at issuers or their processors. While the PCI standards council is not responsible for actually enforcing PCI (the card brands are), this particular clarification highlights the unequal treatment across the card food chain as all of the enforcement attention and deadlines are placed on the merchants, merchant acquirers, merchant processors and other card accepting organizations – with no corresponding enforcement efforts or deadlines on the card issuing side.
Card data and processing security requires collaborative efforts across card issuers, acquirers, merchants, processors and cardholders. With all formal PCI enforcement efforts targeting merchants and their processors, these lopsided efforts are continuing. Responsibility for PCI compliance efforts and upgrades to card data security needs to even out so that card issuers and their systems become part of the solution.
So all in all, we see mild and incremental improvements to the PCI standards with the upcoming release. But what is glaringly lacking is progress on the hard and most important issues, including the implications of adopting alternative technologies (e.g. tokenization, chip cards, point-to-point encryption), and getting the card issuers to do their part in upgrading card security.
Category: Uncategorized Tags: