It’s hard to believe it’s been two years since the release of the PCI DSS 1.2. In those two years we’ve seen the threat landscape evolve and mature with the commoditization of attacks, the continued changes in and complexity of infrastructure and operations, and a shift towards organized crime. The pending release of version 2.0 strives to evolve the standards, to enhance clarity and to address threat and technological changes. Work from several Special Interest Groups (SIGs) is also coming to fruition and should result in a series of additional publications such as Information Supplements and other guidelines.
We are anticipating that this version and supporting guidelines will address areas such as virtualization, tokenization, end-to-end encryption, cardholder data discovery, and provide for a more risk-based approach to protecting payment card data. Equally importantly, we are expecting to see some areas of the scoping process clarified, including how the standards should be applied in issuer environments.
We’re expecting that organizations who are already PCI compliant will not have significant challenges being compliant with 2.0. However, there may be some new areas, such as the rumoured requirement for having a cardholder data discovery methodology, that could require the development of new policies and processes, and potentially the deployment of new technologies to provide an effective implementation of those controls.
Symantec will be at the PCI Community Meeting in Orlando on September 21-23 and will be providing updates as things develop -stay tuned! In the meantime we’re interested in hearing what you and your organization are doing to prepare for 2.0.
Symantec’s Lead Technical QSA, Michael Garvin has worked in information security, compliance, system administration, and enterprise architecture for nearly 20 years. His experience includes higher education, service providers, and corporations including Sun Microsystems. He has been delivering PCI assessments with Symantec for four years and participates in PCI SSC activities. Michael is a CISSP, PCI QSA, CHP (Certified HIPAA Professional), and CHSS (Certified HIPAA Security Specialist).Tags: compliance, IT risk management, PCI 2.0