PCI Council Convenes to Discuss Compliance UpdateBy Ericka Chickowski | Posted 2008-09-30 Email Print
PCI compliance watchers learned of important revisions to encryption definitions, bolstered requirements for wireless network security, and strengthened requirements to use web application vulnerability assessment and web application firewalls. PCI compliance watchers also learned of special interest group participation to help better clarify wireless security and payment card pre-authorization.
Last week, the PCI Security Standards Council unveiled to its Council Participating Organizations details about the changes in the updated 1.2 version of the PCI Data Security Standards expected out on Oct. 1. The council also reported that it will seek community participation to create a new separate set of guidance to help clarify necessary practices in complying with the PCI Data Security Standard.
The announcement was made at the council’s second annual community meeting, held for the benefit of participating merchant organizations beholden to the standard and assessors who ensure compliance. Acting as a standards-making arm of the five major payment card companies, the PCI Security Standards Council encourages feedback from the community of organizations affected by the standards through an official body of participating members.
Bob Russo, general manager of the PCI Security Standards Council, explained to the rabble last week that the updated set of standards are hardly a departure from the previous rule-set.
“Based on what we are hearing and seeing the standard is really solid. There weren't that many changes that needed to be made between 1.1 and 1.2, which is a testament to how stable the standard and how good it is,” Russo says, explaining that the meeting “was a really good exchange, we've got to hear what it is our constituents want, what they need they got to hear how the standard has been updated based on their feedback.”
The 70 percent growth in participation at the annual meeting stands as a testament to the swell in popularity of this grassroots governance approach. According to Russo, more than 625 attendees from hundreds of organizations attended the gathering. The council’s ranks of assessment community members providing input into the standards setting process recently reached a milestone of 500 this fall, up from 240 last year.
Many of these members already had already gotten wind of many of the changes involved in PCI DSS version 1.2 months ago, including important revisions to encryption definitions, bolstered requirements for wireless network security, and strengthened requirements to use web application vulnerability assessment and web application firewalls. As a result, news of upcoming PCI Council efforts drew perhaps even more interest than the 1.2 changes, Russo says.
Top takeaways among these details includes the council’s work to draw participation within new Special Interest Groups (SIG) that will provide better clarification of the standard’s requirements in regard to certain technical processes. This years meeting stood up two SIGs on wireless security and payment card pre-authorization security and council leadership explained that there were more SIGs on the way.
“Network segmentation is a big area of concern; it is very, very hard to define. The biggest areas are how do I figure out what to install? How do i know what needs to be done, (if) I want to make sure I don't leave anything out?” Russo says, explaining that at the same time an organization doesn’t want to do too much work that is out of scope with the standard. “So there are scoping issues... We are already in the process of putting together a Special Interest Group which will then make recommendations—not so much in changes to the standard—but in the form of guidance documents.”
Russo says to expect deliverables within three to six months.
Other details discussed at the meeting included upcoming efforts to provide guidance regarding specific types of technology that may improve compliance efforts without necessarily endorsing vendors, Russo says, along with discussions of an upcoming release of new requirements to shore up PIN entry device security that should be coming down the pike within a year.