PCI DSS 2.0 Update—Evolutionary, Not Revolutionary

by Kurt Hagerman, Managing Director, Coalfire

Coalfire is committed to staying in touch with all our stakeholders on the issues that are important you. In line with that, we want to offer you some guidance and insight on the updates that are part of PCI DSS 2.0. We hope this will calm your fears and help you prepare for any changes that may need to happen within your organization.
Nothing to Fear
Let’s begin by saying that the updates found in 2.0 are evolutionary and not revolutionary. They are meant to better align merchants and service providers while improving clarity and guidance on control intent and PCI assessment criteria. These changes are a priority for the PCI Security Standards Council so they can ensure the standards are up to date with emerging threats and changes in the marketplace. This new version is designed to be incremental and will not have a significant effect on most current PCI programs.

Time is on Your Side
The new standards were published at the end of October 2010 and will go into effect January 1, 2011, but there is no need to panic. This new version will not immediately put any merchant out of compliance; and if you are currently in the midst of an assessment using PCI DSS 1.2, you can continue and complete that process without penalty. The sunset date for version 1.2 is December 31, 2011, and necessary updates to your existing PCI program can be addressed at your next scheduled assessment. The Standards Council plans on reviewing the newest version over the next three years with another update not expected until 2013.

A Shift in Responsibility
Over the last few years, the PCI Security Standards Council has been vocal about their stance that security does not equal compliance and compliance is no guarantee of security. With the release of PCI DSS 2.0, the Council is operating under a growing expectation that merchants need to go beyond DSS compliance. They cannot demand but they do expect you to be evaluating your risk independently and documenting your efforts to determine if the current PCI DSS is adequate for your unique business environment. While this type of independent action is not mandated and cannot be enforced or penalized, it is in your best interest if you want to protect your brand, reputation, and finances against the disaster of a data breach.

Additional Content
In order to make your transition over to PCI DSS 2.0 as seamless as possible, we have prepared a downloadable pdf summary of the updates. However, keep in mind that many special interest groups are making significant progress in emerging issues that impact our industry, including wireless, virtualization, point-to-point encryption, pre-authorization, and scoping. Over the coming months, additional content relative to these issues will be available. We encourage you to read it and invite you to come to us with any questions that come up.