On October 28, 2010, the Payment Card Industry Data Security Standard (PCI DSS) 2.0 was released. There are no new requirements, mostly the PCI Security Standard Council (“Council”) made wording clarifications throughout the 12 existing requirements.
These changes go into effect January 1, 2011, but merchants don’t have to be compliant with them until December 31, 2011. The next major update is expected to be in 2013.
Here are a few significant highlights of what the PCI DSS 2.0 has changed, (in addition to the numerous minor tweaks):
Many large enterprises now use virtualization and the Council has recognized and included virtualization in the 2.0 standard.
In PCI DSS 2.0, the Council has added virtualization to the scope of the assessment. In delineating systems that may contain card holder data, PCI DSS 2.0 includes this statement: “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
New Section 2.2.1.b specifies that “If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.”
There is further clarification that businesses cannot outsource their compliance to a third party, nor can a contract satisfy third party compliance agreements. This has been very clearly stated for a long time within the Card Brands (Visa in particular) operating regulations, but is now stated absolutely and again under requirement 12.8.
Wireless Testing Procedures
Last summer, PCI phased out WEP; organizations may not install wireless systems using WEP. The clarification within PCI DSS 2.0 differentiates between different types of wireless installations, and what should and should not be tested as part of a PCI assessment. See Requirement 11.1
While PCI DSS 2.0 does not impose any new requirements, it is quite telling what is missing from the latest Data Security Standards:
- No Point-to-Point encryption – it is expected that point-to-point encryption will be handled in a separate document
- No tokenization – also expected to be handled in a separate document
- No mention of cloud computing even though virtualization is covered in the new standards. This is probably because of perceived lack of maturity in supporting financial transactions.
- Mobile Payments – the Council has stated that they don’t have a Special Interest Group for mobile payments. This is quite surprising since this is one of the hottest areas that is attracting top players
- Alternative Payments – the new standards also do not address alternative payments. For example, VeriFone has already announced a partnership with PayPal, allowing customers to pay at the POS with their Paywave accounts. PCI seems to have missed this as well. For more info see: http://news.cnet.com/8301-13577_3-20020700-36.html
There will be more to come in the very near future, but in the meantime those subject to PCI compliance requirements should: review the PCI DSS 2.0 standard and consider whether the clarifications should drive changes in approach. Particular attention should be paid to the requirements that apply if virtualization technology is in use. Finally, if you’ve not already reviewed vendor agreements for appropriate security requirements, you should and, in all events, consider audits of their compliance, and of course consider the business objectives from all angles. You can download a copy of the 2.0 standards as well as a summary of changes at the Council’s new site.