There has been much noise on the new PCI DSS standard, and parties (CNET, and other media channels) that specifically related to the encryption section of PCI DSS v1. As I posted earlier, and those of my friends at the PCI Assessors Blog and Martin, this is nonsense and it would be ridiculous if it were true.
That said VISA has substantiated mine and other posts, by saying the requirements will not be made “less robust”.
The pertinent parts include:
Excerpts from VISA’s communication on the new requirements, to clarify the confusion:
“…However, there are no plans to make any of the PCI DSS requirements less robust. PCI DSS will continue to require all entities that store, process or transmit cardholder data to “Render sensitive cardholder data unreadable anywhere it is stored, (including data on portable media, in logs, and data received from or stored by wireless networks).
As with all PCI DSS requirements, entities have always been permitted to implement compensating controls where they cannot meet a requirement explicitly as stated, provided that those controls sufficiently mitigate the risk associated with a given PCI DSS requirements…”