Changes to PCI standard not expected to up ante on protecting payment card data

August 20, 2008 (Computerworld) The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.

As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.

The PCI standard was created by the major credit card companies, including Visa, MasterCard and American Express, to try to prevent the theft of credit and debit card data from retail systems. The standard, which went into effect in June 2005, outlines 12 broad security controls that retailers, online merchants, data processors and other businesses must implement to protect cardholder data. Companies that fail to meet the requirements are subject to fines and potentially can be barred from processing payment card transactions.

Version 1.2 is due to be published on Oct. 1 as the first update of the PCI standard. The PCI council, which was set up two years ago to manage the standard, said in the summary FAQ document released this week (download PDF) that a "sunset date" has yet to be set for using the initial version of the standard. But at a minimum, companies will have at least three months after the sunset date is published to start conducting security assessments using Version 1.2, the council said.

Most of the upcoming changes appear to be relatively minor refinements to the existing security controls, according to Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. "There really isn't anything here that should be too troubling for organizations," he said.

For example, changes are being made to the requirements related to deployment of software patches. Huguelet said that PCI 1.2 will allow companies to adopt more risk-based approaches to deploying patches instead of requiring them to install relevant patches within one month of the fixes being released, as is the case now. That will enable IT and security managers to use more of their own judgment in determining how quickly to patch systems based on their own threat assessments, he added.

Similarly, under Version 1.2, companies will be required to review their firewall rules only once every six months, as opposed to the quarterly requirement set by the current PCI standard.