In the last several years, awareness of issues around payment card security and PCI standards has grown exponentially. As more businesses implement Payment Card Industry Data Security Standard (PCI DSS) as a necessary layer in protecting their customers' account data, this increased vigilance will help result in fewer breaches, not to mention losses for businesses, financial institutions and cardholders.
The next few months will feature ramped up discussion of this topic as we head into the next lifecycle stage of the PCI standards, the release of the new PIN Transaction Security standard in the spring and the next iteration of PCI DSS and the Payment Application DSS in October.
As the new chair of the PCI Security Standards Council, I recognize that the challenges in the revision process include the range of divergent voices and speculation about which processes will change and how new technologies will interact with a revised standard.
Our role at the Council is to develop, evolve and promote several standards to protect account data in payment transactions. The primary standard that most are aware of-the PCI DSS-follows a 24-month lifecycle. The lifecycle gives us enough time to address evolving security threats and gradually phase in elements and requirements to enhance security and help companies avoid being in a position of non-compliance the moment a new standard comes out. And, yes, a new iteration of the DSS is coming this year.
The Council makes modifications to this standard based on the input of hundreds of companies that make up our participating organization base: through feedback and suggestions made on our Website; an online questionnaire; real world security assessment information; and through discussions held at our community meetings. As you can imagine, this is a huge undertaking, underlined by the fact that the PCI organization membership has grown nearly 500 percent since we last revised the DSS in October 2008.
WHAT'S NEXT FOR DSS?
The feedback period of the DSS lifecycle process ended in October 2009, and we are now in the feedback review process. At present we are consolidating, categorizing and reviewing thousands of pieces of feedback, all analyzed by our PCI DSS technical working group. In March we will discuss this feedback with our board of advisors and share a summary of feedback based on this material with the public to provide insight into the types of input we have had from our stakeholders. We will then draft a summary of changes to both the PCI DSS and PA DSS to provide clear and precise guidance on what to expect in the next iteration of the standard. We will publish that summary in the early summer. Our participating organizations will then have the opportunity to give us additional guidance and revisions at that time.
After this review, we will begin finalizing the updates with a final review process with the Council's elected board of advisors and prepare to present the new standard at this year's community meetings in Orlando and Barcelona.
OTHER STANDARDS AND SOLUTIONS
Last year, we added payment technologies, such as unattended payment terminals and non-user facing devices hardware security modules, to the newly-named PTS Standard to better reflect the broader environment impacted by the standard. This April, following a final comment and review period currently underway, the Council will release the next version of the PTS Standard.
In light of a number of breaches last year, many folks have leapt forward touting their products as single-step solutions for PCI DSS compliance. I can understand the appeal of these pitches to organizations trying to secure their data, but unfortunately, these claims are too good to be true. I can tell you unequivocally that there are no silver bullets on the path to security.
During the last year, the Council has encouraged the formation of special interest groups and evaluated third-party market research that centered on ways emerging technologies interact with the DSS. In the spring the Council will outline how we plan to approach emerging technologies. We are targeting April to deliver the first guidance on EMV chip with more content to follow. We also have special interest groups working on virtualization, pre-authorization and scoping that will provide additional guidance.
The following milestones provide an overview of what the PCI Security Standards Council has planned for 2010 and what changes to expect along the way:
* November 2009-April 2010: DSS and PA-DSS feedback review process.
* March: Council shares summary of feedback with market.
* Late April: New PIN transaction security (PTS) standard released (formerly PIN Entry Device (PED) Standard).
* Spring: Council shares framework on emerging technologies, and the first piece of guidance.
* Early summer: Summary of proposed changes to the DSS provided to participating organizations and market.
* May-September: New version/revision and final review.
* September 21-23: 2010 US community meeting in Orlando.
* October 18-20: 2010 European community meeting in Barcelona.
* October 2010: Next iteration of both PCI DSS and PA DSS released to public.
Bruce Rutherford is chairman of the PCI Security Standards Council.