From: Juan Castro (SAL-LA)
Sent: Saturday, August 21, 2010 4:47:27 AM
Subject: NEWSBANK :: (PCI DSS 2.0) PCI SECURITY STANDARDS COUNCIL PREPARES INDUSTRY FOR STANDARDS CHANGES
Auto forwarded by a Rule
PCI SECURITY STANDARDS COUNCIL PREPARES INDUSTRY FOR STANDARDS CHANGES
Council announces next step in transparent standards development and release process with publication of summary of changes highlights document for PCI DSS and PA-DSS
WAKEFIELD, Mass., August 12, 2010 — Today, the PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), published documentation highlighting the expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS in October 2010. In an effort to provide greater clarity and ongoing transparency, this summary will help all organizations involved in payment card security prepare to align their PCI security programs with the updated standards.
Participating Organizations will have the opportunity to discuss these changes at the PCI SSC Annual Community Meetings in Orlando and Barcelona, prior to the publication of the final standards on October 28.
As part of the planned standards lifecycle process the proposed changes were developed with input and ongoing industry feedback received from merchants, banks, processors and vendors in the PCI community. This was gathered both through the Council's formal feedback period and additional channels such as industry events, the PCI SSC's Open Mic series and online FAQ. Hundreds of pieces of feedback were received during this process, with more than half originating from outside the United States. As a result of this input, revisions categorized as clarifications, additional guidance and evolving requirements improve the flexibility of organizations to implement controls, better manage evolving threats and address scoping and reporting elements. Changes also increase alignment between the PCI DSS and PA-DSS, making it easier to achieve compliance with both standards.
Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not introduce any new major requirements. Key updates, clarifications and guidance include:
Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
Support for centralized logging included in PA-DSS to promote more effective log management
Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities
Greater alignment between PCI DSS and PA-DSS to facilitate stronger security practices
"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," said Bob Russo, general manager, PCI Security Standards Council. "With the changes to the PCI DSS and PA-DSS outlined in advance, organizations will be better prepared to align their security programs with the updated standards and ensure security of their cardholder data."
The document will help stakeholders begin to prepare for discussion of the new versions of the PCI DSS and PA-DSS at the forthcoming Community Meetings in the US and Europe. A more detailed summary of changes and pre-release versions of the revised standards will also be provided to Participating Organizations in early September.
"The Council continues to promote active participation in the development of the standards," said Michael Reidenbach, Executive Vice President and Worldwide Chief Information Officer at Global Payments Inc, and member of the PCI SSC Board of Advisors. "The summary of changes not only gives stakeholders the information they need to plan for the updated standards, but also encourages industry involvement in shaping payment card security."
The summary of changes highlights document is available on our website at
The PCI SSC also invites Participating Organizations and the public to a webinar that covers the summary of changes in greater depth, to be held on August 24th at 3:00 p.m. ET / noon PT, and August 26th at 11:00 a.m. ET / 8:00 a.m. PT. Registration details can be found here:
August 24: http://register.webcastgroup.com/l3/?wid=0830824105314
August 26: http://register.webcastgroup.com/l3/?wid=0830826105315
For More Information:
For more information on the PCI Security Standards Council, please visit www.pcisecuritystandards.org or contact the PCI SSC Secretariat for any questions or concerns regarding the Community Meetings at firstname.lastname@example.org.
About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.
The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and other vendors are encouraged to join as participating organizations.