Virtualisation, tokenisation and encryption get top billing
The PCI Security Standards Council (PCI SSC) has revealed an updated version of the Payment Card Industry Data Security Standard (PCI DSS), which aims to set security rules for all merchants or organisations that process credit or debit card transactions.
Version 2.0 comes into effect on January 1st, 2011 but does not include any new major requirements, the organisation said. It designed, PCI SSC says, to provide greater clarity and flexibility to make requirements easier to understand and improve the implementation process.
The main revisions in version 2.0 are designed to improve understanding of where cardholder data resides; promote more effective log management in securing cardholder data; allow organisations to adopt a risk-based approach when assessing and prioritising vulnerabilities that is based on their specific business circumstances; and accommodate the unique environments of small merchants to simplify their compliance efforts, the new guidelines claim.
The new guidelines are geared towards newer technologies such as virtualisation, tokenisation and end-to-end encryption.
"Although there are no groundbreaking changes to PCI 2.0, there have been some clarifications made to the standards and some developments on how companies using virtualisation must comply with the PCI Data Security Standards (DSS)," said Rafe Pilling, PCI Consultant at SecureWorks. "However, organisations looking for clear guidance on storing PCI and non PCI systems in a virtualised environment might be disappointed, as the boundaries are not clearly defined."
Sumedh Thakar, director of engineering at security firm Qualys, added: "The council also talked about the work they are doing to look at emerging technologies like end-to-end encryption, tokenisation and virtualisation. You will see that some of the changes in this version already reflect recognition of the new technologies and I am sure more updates will be coming in these areas. The SSC now has a dedicated CTO who is actively working to make sure the DSS stays in step with rapid changes in technology."
"The council has done a great job at being reactive and responsive, in an open community based effort, to get the standards to a mature state. Now they are attempting to stay ahead of the curve with new technologies in a dedicated effort working with industry leaders. Ultimately we expect DSS 2.0 to help merchants improve the security of their PCI networks while providing flexibility with their compliance efforts given the many different implementations that are out there," Thakar continued.
On the subject of tokenisation, Ulf Mattson, CTO of encryption firm Protegrity, said: "There is a particularly strong need for the PCI Security Standards Council to provide guidance on how tokenisation of cardholder data can reduce the size of the Cardholder Data Environment (CDE) and outline acceptable tokenisation architectures for implementations and operations. This is important because the CDE is that part of the network that possesses cardholder data or sensitive authentication data. Like many others, I expect the document to somewhat mirror the tokenisation best practices document that Visa released in July, which will be a good framework for the industry to build on."
The move to include tokenisation is a logical one, according to Jonathan Lampe, VP of product management at network monitors Ipswitch. "Tokenisation – the use of data tokens in place of sensitive data such as PAN – is essentially a cost saving measure. Early adopters are shrinking the costs of PCI compliance by handing responsibility for their most sensitive information to a trusted custodian, saving them the expense of treating every interaction as top secret. Tokenization is already accepted by Visa and is the focus of a current PCI Council committee; the next logical step is for it to be incorporated into official PCI guidance."
Version 2.0 begins a three-year lifecycle for the development of PCI standards. Validation against the previous version of the standard (1.2.1) will be allowed until the end of 2011, the organisation said.