PCI DSS: Deadline? What deadline?

As we approach the end of September 2010, some organisations that handle payment card transactions may be worrying about the “Sept 30th 2010 deadline” for PCI DSS compliance.
 
PCI DSS is the payment card industry data security standard that outlines how payment card data must be handled. Some IT security vendors have been touting Sept 30th 2010 as a date that necessitates an urgent investment in their products. Quocirca has seen this variously described as a deadline from the PCI Security Standards Council (PCI SSC) itself, the introduction of a new version of the standard and a UK deadline for compliance.
 
However, go in search of the facts about the deadline and you may get frustrated, they are hard to pin down. First, as the PCI SSC clearly states in a FAQ document that has a high profile on its own web site – it does not impose deadlines.
 

“What are the deadlines for complying with PCI DSS?

Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS.” 

All it really says is that you must comply and the five brands, namely VISA, Mastercard, AMEX, JCB and Discover mandate compliance and set deadlines for validation of that compliance. Neither the PCI DSS nor any of the brands operate solely at the UK level, so it hard to see how there could be a UK deadline; unless an individual brand chose to set validation dates by country.

The two most widely used brands in the UK are Mastercard and Visa. So, what do they have to say?
 
The last new version of the PCI DSS (V1.2) was released in October 2008 and as of today (Sept 29th 2010), this is still the current version on the PCI SCC web site and there is no high-profile discussion of a new version.
 
Mastercard does outline some deadlines for compliance on its web site, but none of these are for Sept 30th 2010 and they vary according to the “merchant level” (how big a given organisation is with regard of the number of transactions processed). For level 1 and 2 merchants a June 2011 deadline is set, but read the small print:
 
“Initial Compliance Validation Date for Level 1 & 2 merchants has passed. 30 June 2011 Deadline affects merchants that choose to conduct an annual onsite assessment using an internal auditor.”
 
What about Visa? It too lays out guidelines by merchant level for compliance, but does not mention a deadline. However, in a press release in 2008 it did: http://corporate.visa.com/media-center/press-releases/press873.jsp. Here it does set out some “Globally Aligned Mandates”:
 
“February 1, 2009 – Effective date for globally aligned Service Provider level definitions
September 30, 2009 – Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to authorization of a transaction
September 30, 2010 – PCI DSS compliance validation deadline for Level 1 merchants”
 
So here is that elusive date at last. One date in a series of compliance steps from one card brand.
 

September 30th 2010 is a date that merchants accepting payment by Visa should be aware of, but it is not the widely talked about apocalyptic date that some in the IT security industry have been suggesting makes an investment in their products or services right now unavoidable.

Of course, PCI DSS compliance does require an on-going review of data handling procedures and IT security, but if your organisation has not already well down the road with this you have already missed most of the deadlines.

Less FUD, more facts please!

Bob Tarzey, Analyst and Director, Quocirca