Wednesday, August 18, 2010

Brief PCI Council Interview in Regards to PCI DSS 2.0

Everybody knows that PCI DSS 2.0 is coming! The Council released a summary of changes for version 2.0 [PDF] to be released in October 2010. Council folks have granted this brief interview to Security Warrior Blog; it is provided below in its entirety:


Q1: As promised, the changes to PCI DSS are minor. Are you worried that since the next edition will come in 2013, both technology and threat landscape will change way too much and DSS will lose its relevance over time?

PCI Council Answer 1: The Standard is maturing and is increasingly being adopted globally, that's part of the reason why there are no new requirements  in DSS 2.0. Nonetheless, we always have in place an errata process that allows us to add elements or requirements to the standards as necessary. It is important to note that in the years that the standards have been in effect, there has never been a specific threats that has required this. [emphasis by A.C.]

[A.C. – I am sure the highlighted bit will rile a lot of noisy security folks with minimum knowledge of the payment industry, but, upon some thinking, I actually tend to agree with it - mostly. The issue is not with “requirements are stale”, but with merchants not doing this stuff. Daily log reviews are MANDATORY for PCI DSS compliance (see Req 10.6). Are they ALL doing it? Ha. And people still fall victim to passwords guessing en masse – like its 1983. Even future “PCI in the cloud” is fairly well addressed by Req 12.8. So please can this “threats are dynamic” snivel…]


Q2: Does Council plan to launch any studies on the effectiveness of "the new PCI DSS" vs today's cyber attacks against payment card data?

PCI Council Answer 1: While we have no plans for an official study, we do receive feedback and public forensic reports, like the recent Verizon Data Breach report that allow us to review forensic data gathered globally. [link added  by A.C.]


Q2: Will there be any changes to Prioritized Approach to PCI DSS document in light of PCI DSS changes?

PCI Council Answer 3: Not at this point, but the new DSS does allow, on a merchant by merchant basis, a certain degree of a risk-based approach during their assessments.

[A.C. – this means that “implementation first, policy last” thinking will stay in. Intuitively, I get it – policies on their own don’t stop loss, while removal of PAN storage does – but I expect a lot of whining over this one as well]


Q4: Does Council plan any additional implementation guidance along the lines of wireless guidelines to help merchants comply with PCI 2.0?

PCI Council Answer 4: At some point, we will be releasing a similar set of guidelines on Bluetooth deployments, similar to the Wireless Guidelines.

There you have it. And we wouldn’t even have to update our PCI book much :-) Go PCI 2.0!

Dr Anton Chuvakin