Tuesday, October 5, 2010

PCI Community Meeting Outcomes

The PCI Council held its annual Community Meeting in Orlando September 22-23. Tom Davis of Indiana University and I attended representing NACUBO and, thereby, all of you. Here is a brief summary of what happened and what we learned (with apologies for our being late).

Hopefully everyone knows by now that the DSS has moved to a 3-year lifecycle. That means that version 2.0 which will be released in late October will become effective January 1, 2011 and remain for an expected 3 years. Another implication is that the current version 1.2 will remain in effect until the end of 2011. That means that for the next year, you can renew your validation under either standard.

The Self-Assessment Questionnaire (SAQ) process is the same, but there will be some changes, particularly (I expect) to SAQ C. The changes were not announced, but they should be made public with v 2.0. There also will be a new Navigating the PCI DSS at the same time. This is a particularly valuable document too many people don’t know about, and that’s a shame. It focuses on the intent of the requirements, which, as we all should know, is the key.

The Council will be revamping its website to provide more information for small and medium-sized merchants. This is really good news. We saw screen shots, so we can’t say too much about what will be there, but we can look forward to additional information and resources, which will benefit many Higher Ed institutions.

Importantly, two new white papers are being released. The more relevant is the “Initial Roadmap – Point-to-Point Encryption and PCI DSS Compliance.” The other deals with “PCI DSS Applicability in an EMV Environment” which deals with chip cards. Each document addresses how the technologies can re-shape your PCI scope and, therefore, your PCI compliance effort. In the Council’s words:

Currently no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry. However by providing this new guidance on P2PE, the Council has taken the first step by definitively stating that P2PE may simplify PCI DSS compliance by reducing the scope of the cardholder data environment. In identifying the environments that still require the security protection of the PCI DSS, the guidance determines that P2PE solutions do not eliminate the need to maintain PCI DSS compliance for specific systems. It also recognizes the need for a set of criteria to validate the effectiveness of P2PE solutions so that merchants can have confidence that the solution they deploy properly secures cardholder data, which the Council plans to develop and release in 2011.

There are a number of clarifications to particular PCI requirements, and some with multiple parts have been re-structured into individual sub-sub-sections. Therefore when you see v 2.0, it may look longer or thicker, but there really isn’t too much new or additional.

We also heard reports from the various Special Interest Groups or SIGs. They are still studying Virtualization, Scoping (now broken into three separate working groups: Encryption; Tokenization; Scoping Considerations), Wireless (working on Bluetooth now), and Pre-Authorization Data (think automated gasoline pumps and hotels). My personal favorites – and the ones I’m watching – are two of the Scoping SIG working groups: tokenization and scoping considerations. Hopefully we’ll see reports and recommendations early in 2011.

The schedule for releasing v 2.0 is October 28. Mark that date. Once the revised SAQs are available I’ll be discussing them here with the implications for your campus. Meantime have a look at the white papers if they are of interest. Personally, I’m much more interested in the Tokenization paper coming out in the new year.

No comments:

Post a Comment