Thursday, January 28, 2010

Changes for PCI In October: "No Surprises"

I just saw a report that reference recent statements by Bob Russo, General Manager of the PCI Council, where he talked about possible changes to PCI in October.

According to an article at SearchSecurity, Russo said "There won't be any surprises. We're more likely to see guidance documents." In a lot of ways, this makes sense. The Council is studying a number of relatively new technologies (a couple of examples are end-to-end encryption and tokenization, but there are others) and their impact on both merchant compliance and the DSS itself. With some guidance from the Council, merchants will be more comfortable making choices and deciding how to implement them. As Russo explained:

"End-to-end encryption is a catchphrase because at a certain point along the line, the data needs to be decrypted," prompting key management questions, Russo said. "Key management introduces a whole new series of issues that could cause you to be less secure."

Russo said he doesn't expect an end-to-end encryption special interest group will study the issue. Instead encryption within the payment process will be addressed when other technologies that affect the payment process are identified and studied. The Virtualization Special Interest Group, due to recommend guidance in March on protecting card data within virtualized environments, will address the role of encryption as well, Russo said.

"Unfortunately there are so many different technologies that merchants may have started down the path with that we need to be careful and study them before prescribing them in the standard," Russo said.
We are just over 3 months away from May when the Council will publish the revisions to the DSS for Participating Organizations. I am hoping we have specifics for the Treasury Institute's PCI Workshop (hint, hint...), but at least we'll have Bob Russo himself there - live and in person - speaking to us.

No comments:

Post a Comment