The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced Monday this week the summary of forthcoming changes to PCI DSS as it moves from version 1.1 to the previously announced version 1.2 in October.
An overview of the summary of changes as well as frequently asked questions an be found on the Council’s Web site.
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.
The PCI Security Standards Council was formed by major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI DSS, PED Security Requirements and the PA-DSS. Merchants, banks, processors and other vendors are encouraged to join in as Participating Organizations.
Changes to the PCI DSS include clarifications and explanations to the requirements, with these clarifications offering improved flexibility to address today’s security challenges in the payment card transaction environment.
The new summary document on these changes highlights the key clarifications by requirement. These clarifications will also eliminate existing redundant sub-requirements while improving scoping and reporting requirements. When version 1.2 is released, incorporating existing best practices, supporting documents will also be updated and consolidated. Most importantly, version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council’s inception.
“The Council’s Participating Organizations, through the feedback process, have provided an invaluable service in enhancing the PCI DSS to meet today’s market needs,” said Bob Russo, General Manager, PCI Security Standards Council. “Version 1.2 should be seen as an improvement, not a departure from tried and true best security practices. By distributing a summary of the forthcoming changes, we are ensuring that stakeholders are not taken by surprise by any of the clarifications.”
With the summary of changes to the revision of the PCI DSS, the Council is giving stakeholders guidance on what to expect when version 1.2 is publicly available. The Council is finalizing the changes to the standard and will be providing its Participating Organizations with version 1.2 in early September.
PCI SSC Participating Organizations and the Council’s Board of Advisors have been providing feedback on the revisions and the Council is in the final stages of preparing the latest standard and supporting documentation. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. PCI DSS version 1.1 was introduced in September 2006.
