The Payment Card Industry Security Standards Council plans to make minor changes in the next iteration of PCI DSS, making clarifications on secure coding and key management
The PCI Council issued a high-level summary document reflecting nine changes to appear in PCI DSS 2.0 and three changes to the PA DSS 2.0. A detailed summary of the changes will be issued along with pre-release versions of the standards in September.
PCI Council general manager Bob Russo reiterated that the proposed changes are minor and don't offer any new requirements for merchants. Clarifications change the wording in PCI DSS to portray the intent of a requirement, Russo said, while changes that provide additional guidance help people better understand a requirement.
"People will be reasonably happy that the changes are minimal," Russo said. "The standard is very strong at this point and reasonably mature for the five years or so that we've had it; most of what we're seeing are these clarifications."
The PCI Council is proposing new language giving merchants guidance on how to define the scope of an assessment. Russo said the document will recommend merchants use data discovery tools or data leakage protection technology to discover where cardholder data resides on their systems prior to a PCI assessment.
Proposed changes also address secure coding and vulnerability discovery. Requirement 6.2 will be altered to recommend merchants apply a risk-based approach for addressing vulnerabilities. In addition, the PCI Council is merging requirements that address secure coding and Web applications to offer up more resources that merchants can use to find secure coding standards. Currently the standard only lists OWASP as a resource.
A proposed clarification to Requirement 3.6 addresses periodic cryptographic key changes. Merchants storing cardholder information as a back-up at a secure offsite facility need to have the data encrypted, but won't have to make annual key changes.
The PCI Council is also adding guidance in the standard for virtualization technology, updating Requirement 2.2.1 to reflect the technology's use among merchants.
Diana Kelley, founder and partner at Security Curve, said the proposed PCI DSS and PA DSS changes are welcome and help give merchants and QSAs a better understanding of the document's intent. The PCI Council has additional work to do, she said. PCI wireless guidelines, issued last year, remain outside of the standard and Visa Inc. has issued its own guidance on tokenization.
"My biggest fear is that we're beginning to see a splintering of PCI with other documents being issued outside of the standard," Kelley said. "Merchants need to refer to other documents rather than the DSS and that may make it less comprehensive."
The PCI Council announced in June that it would be moving to a three-year lifecycle for PCI DSS and PA DSS. The council will hold stakeholder meetings with participating organizations in Orlando next month and in Barcelona in October. The final version of the documents will be published Oct. 28 and become effective on Jan. 11.