Upcoming Changes to PCI DSS

The PCI Security Standards Council has announced that they will release the much anticipated PCI DSS version 2.0 update in October 2010. As a Qualified Security Assessor (QSA) and active contributor to the IT security community, ValCom has been on the frontlines providing feedback on proposed changes and aligning our security program for maximum efficiency and compliancy.

While no new major requirements are anticipated, changes will include the following:

• Reinforcement of need for thorough scoping exercise prior to PCI DSS assessment in order to understand where cardholder data resides
• Support for centralized logging included in PA-DSS to promote more effective log management
• Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities

Reasons for Upcoming PCI DSS Changes

Before introducing changes, the PCI DSS Council defined the considerations they aimed to address:

• What is best for payment security?
• Global applicability and local market concerns
• Appropriate sunset dates for other standards or requirements
• Cost/benefit of changes to infrastructure
• Cumulative impact of any changes

Goals for Upcoming Changes to PCI DSS

The PCI Security Standards Council hope the PCI DSS 2.0 changes will:

• Provide greater clarity on PCI DSS & PA-DSS requirements
• Improve flexibility for merchants
• Help manage evolving risks / threats
• Align with changes in industry best practices
• Clarify scoping and reporting
• Eliminate redundant sub-requirements and consolidate documentation

For more information on PCI DSS requirements, please call us at: 630.285.0500 or send us an email.

To access the PCI Security Standards website, visit the following resources:

PCI DSS 2.0 Summary of Changes