According to the PCI Security Standards Council, the updated PCI standard, which will now be refreshed every three years instead of two, was based on hundreds of pieces of feedback. PCI DSS 2.0 incorporates a stronger emphasis on scoping sensitive data and a more risk-based approach for assessing vulnerabilities. Some believe, however, that the bigger news is not what IS included in the revised standard, but what IS NOT included.

“I think the reaction to what’s missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet,” Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com. “A lot of fundamental questions are still unanswered.”

A summary of upcoming changes to the PCI DSS is available online at https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf.

The onsite assessment, which must be completed by a PCI QSA (Qualified Security Assessor), will validate compliance with the twelve requirements set forth in the Payment Card Industry Data Security Standards. The PCI DSS requirements are designed to provide increased controls around data and its exposure to compromise.

Heartland recently announced that it expects to take a significant loss in Q3 resulting from more than $12.6 million dollars in fines from Visa and Mastercard, legal fees, and administrative costs. Given that 65% of the cost of a typical data breach is due to lost business from new and existing customers, none of which is included in the $12.6M figure, this may be just the tip of the iceberg for Heartland.

Pained over the cost of compliance? It’s nothing compared to the cost of a breach. Ask Heartland.

The Council previously announced the summary of changes between version 1.1 and version 1.2 to ensure awareness of the coming latest changes to the standard. Version 1.2 includes clarifications and explanations of the requirements that improve flexibility to meet today’s security challenges and ensure organization’s can adequately comply with the standard. While version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council’s inception, the updates do change some practices, such as the sun-setting of implementations of Wired Equivalent Privacy (WEP) wireless security by June, 2010.

“This latest revision to the PCI DSS is welcome news for merchants and service providers as they grapple with the latest security threats to their payment transactions systems,” said Diana Kelley, partner and analyst with SecurityCurve, a data security consultancy. “The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs.”

Since the Council’s inception in Sept. 2006 and the release of version 1.1 of the PCI SSC, its Participating Organizations and Board of Advisors have been providing feedback on the standard, with global industry input into the revisions. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. Participating Organizations are given the opportunity to receive early drafts of all pending revisions to the Council’s standards and provide a bulk of the feedback during this process. PCI DSS version 1.2 was the primary discussion topic at the Council’s recently concluded and successful community meeting in Orlando, Fla., in which more than 500 attendees came together to begin the process of strengthening the standards even further.

“It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback,” said Bob Russo, general manager, PCI Security Standards Council. “This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable.”

For More Information:
More information on the PCI Security Standards Council and becoming a Participating Organization please visit pcisecuritystandards.org, or contact the PCI Security Standards Council at participation@pcisecuritystandards.org.

About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.

The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and other vendors are encouraged to join as Participating Organizations.