Revised payment card standard due this Thursday

PCI DSS v2.0 will help boost the number of compliant businesses, say insiders

Revised PCI DSS will help merchants comply

A revised security standard for payment card details, due to be published on Thursday, will increase the safety of e-commerce and encourage online merchants to manage their transaction systems better, say industry experts.

The Payment Card Industry Data Security Standard (PCI DSS) version 2.0 is due to be released on 28 October by the PCI Security Standards Council (PCI SSC).

The revision to the six-year-old standard is based on extensive feedback from merchants gathered over the past two years since the release of the last revision – 1.2 – in 2008.

Merchants have yet to adopt the standard in large numbers. Recent reports show even top-tier online retailers have been confused by the requirements.

However, an increase in the number of reported cyber crimes has turned compliance with the standard from an annoying cost of business to a must-have, said Ross Brewer, vice president of international markets at compliance specialist LogRhythm.

“Organisations have often regarded PCI compliance as a one-off, tick-box item, especially outside the litigious US,” Brewer told Computing. “But the increase in cyber crime has been a real wake-up call.”

Once v2.0 is in place, the SSC is likely to press payment card operators to increase transaction fees and lobby for increased fines and greater disclosure for breaches, added Brewer.

However, compliance contains a large amount of carrot as well as stick and could be a boon to online retailers seeking to better manage the behaviour of data and applications on their IT infrastructure because it implies continual logging and analysis of traffic, Brewer said.

“There are numerous benefits [to compliance] in terms of visibility of infrastructure and application behaviour,” he added.

The revision of the standard is also expected to address thorny issues such as virtualisation. The current requirements of PCI DSS v1.2 require more stringent security – such as access authorisation, firewalls and encryption – on servers that carry PCI-regulated data than on other servers, causing debate as to whether this applies to physical or virtual machines.

Applied strictly, if a virtual machine carries PCI-regulated data, the whole virtual stack in which it sits, and any to which it might be re-allocated, has to comply with the standard.