The Payment Card Industry (PCI) Security Standards Council will soon conclude its public comment period on version 2.0 of the PCI Data Security Standard and Payment Application Data Security Standard (PCI DSS). The
, a global, open industry standards body for the PCI DSS, began soliciting comments in November of last year from its members and other parties.
Version 2.0 increases the granularity of the standard from version 1.0’s vague language and parameters, according to Paul Nowling and Rick Heroux of Compliance Solutions and Resources.
The council “took things that were not clear and people were not doing and broke the requirements down into what the real expectation is,” Heroux said, adding that version 2.0 “significantly improved merchants’ abilities to be compliant.”
One major improvement was the advent of the SAQ C-VT, an abbreviated self-assessment tool that helps small- and medium-sized merchants that have trouble getting through the longer, more complex questionnaires that may have not even applied to them become compliant. Heroux said version 2.0 has clarified requirements for merchants and “brought it down to a level to what they needed to do to protect specifically what they were doing on these machines.”
He added that merchants that tend to struggle the most, to date, are those that have a complex but easy-to-use system—a point-of-sales system, for example—that requires technical knowledge and security; those who allow vendors access to passwords without realizing the danger of third-party access to data, and those with a lack of awareness about the danger of out-of-box default passwords that can generally be found online and should be changed immediately.
The standards are updated every three years based on such feedback, and the feedback periods are launched one year from the time new standards are issued. PCI DSS version 2.0 became effective as of January 1, 2011.
Revising standards according to feedback is essential, Nowling said, because it only encourages compliance.
“The last thing you want to do is get a merchant started on a process and have it so complicated that they throw their hands up and walk away,” Nowling said, “Because even if they couldn’t meet all requirements, there is so much to be gained from having a policy and from training employees. The majority of breaches come from employees not being trained and hooking up to a point-of-sale system.”
