PCI-DSS 2.0 Emphasises Transaction Log Management

The Payment Card Industry (PCI) Security Standards Council officially unveiled version 2.0 of its Data Security Standard (PCI-DSS) and Payment Application DSS (PCI PA-DSS) compliance regulations with minor changes designed to clarify their requirements.

“While most of the changes in PCI-DSS 2.0 clarify the existing requirements, some key areas are around encryption, application security, wireless and virtualisation technologies,” noted Mandeep Khera, chief marketing officer for Web application security specialist Cenzic.

“Changes related to application security, including ranking of vulnerabilities according to risk and expanding the scope of vulnerability testing, are critical as these changes will help improve the Web security of online merchants… These changes will go a long way toward preventing credit card fraud, but we must make sure these guidelines are enforced,” he said.

Better Understanding Of PCI Requirements

The revisions to the PCI DSS and PCI PA-DSS are largely language changes and clarifications. The new versions will become effective January 1.

“All of these changes are coming as a direct result of the feedback that we got and, I guess, what they prove is that the standard is basically maturing in that people are understanding it and adhering to it much better,” said Bob Russo, general manager of the PCI Security Standards Council.

The key revisions cover areas such as log management and scoping the environment to understand where cardholders reside. There were also revisions meant to enable organisations to develop a risk-based assessment approach, based on their specific business circumstances, as well as changes designed to appeal to small merchants to simplify their compliance efforts.

“Some of the biggest changes… are in the small merchant area, [such as] simplifying the self-assessment questionnaire and the validation process for these guys,” Russo said.

The council is pushing hard for centralised logging with both standards, he added.

“If you don’t use a centralised logging facility then your guys have got to look in more places, and chances are if [they] have to look in more than one place… you’ll wind up missing some of this stuff,” he said, adding it is a “proven fact that every time we find a breach, it’s always found in the log”.

Validation against the previous versions of the standards (1.2.1) will be allowed until December 31, 2011, in order to give organisations time to implement the latest changes. From January 1, 2012, and moving forward, all assessments must be under version 2.0 of the standards.