PCI Council releases new security standard

Payment Card Industry security standards affect financial industry, retailers


The PCI Security Standards Council (PCI SSC), an open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced general availability of version 1.2 of the PCI DSS.

The Council said this latest version is the culmination of two years of feedback and suggestions from its industry stakeholders and is designed to clarify and ease implementation of the standard for cardholder account security. Version 1.2 is effective immediately and version 1.1 of the standard will sunset on Dec. 31.

The updated standard and supporting documentation is available on the Council's Web site at pcisecuritystandards.org/security_standards/pci_dss.shtml.

The Council previously announced the summary of changes between version 1.1 and version 1.2 to ensure awareness of the coming latest changes to the standard. Version 1.2 includes clarifications and explanations of the requirements that improve flexibility to meet today's security challenges and ensure organization's can adequately comply with the standard. While version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council's inception, the updates do change some practices, such as the sun-setting of implementations of Wired Equivalent Privacy (WEP) wireless security by June, 2010.

"This latest revision to the PCI DSS is welcome news for merchants and service providers as they grapple with the latest security threats to their payment transactions systems," said Diana Kelley, partner and analyst with SecurityCurve, a data security consultancy. "The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs."

Since the Council's inception in Sept. 2006 and the release of version 1.1 of the PCI SSC, its Participating Organizations and Board of Advisors have been providing feedback on the standard, with global industry input into the revisions. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. Participating Organizations are given the opportunity to receive early drafts of all pending revisions to the Council's standards and provide a bulk of the feedback during this process. PCI DSS version 1.2 was the primary discussion topic at the Council's recently concluded and successful community meeting in Orlando, Fla., in which more than 500 attendees came together to begin the process of strengthening the standards even further.

"It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback," said Bob Russo, general manager, PCI Security Standards Council. "This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable."