A tremendous amount of focus has been upon today when the PCI Council released publicly the latest standard for the payment card industry. There undoubtedly will be an incredible amount of discussion on the varied points, and I will try to identify the most valuable over the next several days. To that point, though I wanted to highlight a few nuances that enterprises must consider with regards to this new standard. Most importantly, how the payment card industry is evolving.
The new standard, available for download today, has numerous points of clarification and expansion on security controls – all designed to secure the highly trade-able data. Interesting highlights:
- Further clarification that businesses cannot outsource their compliance to a third party, nor can a contract satisfy third party compliance agreements. This has been very clearly stated for a long time within the Card Brands (Visa in particular) operating regulations, but is now stated absolutely in page 16 and again under requirement 12.8. A nice post available here goes into greater detail.
- The new standard focuses more on ensuring actual controls are effective and operational and less about simple paper verifications. This is a change as it approaches the intent of the standard, and will provide better ability for organizations to protect their card holder data. (i.e., 12.9 ‘Be prepared to respond immediately to a system breach.”)
- The usage of ‘All’ is more frequent in the new standard. This covers areas of policy consideration and technical solutions. Careful awareness of the scope of the payment environment will ensure lower risk, and greater ability to weave the PCI DSS 2.0 into enterprise security programs.
- Greater updates also were focused on the Compensating Controls section, and should be carefully reviewed going forward.
Branden Williams’ always has valuable data points, and his article related to the new release can be found here.
More to come in the very near future, but in the meantime – read the standard yourself; consider your organization’s moving forward strategy; develop a comprehensive data security program that includes PCI controls and risk considerations, and of course consider the business objectives from all angles.