The new Payment Card Industry (PCI) Data Security Standards (DSS) version 2.0 specifications debuted this week, providing new clarification for how to properly secure online payment and transaction systems.
With PCI-DSS 2.0, security vendors and merchants aren't getting new requirements over the previous PCI-DSS 1.2.1 standard. Instead, the focus with the new specification is on clarity of definition for a number of key areas including virtualization and authentication.
"From my perspective the main reason for changing the standard from V1.2 to V2.0 is to reflect the change from the two-year to the three-year life cycle, rather than the changes to the actual requirements," Jeremy King, European director for the PCI Security Standards Council, told InternetNews.com. "Going forward, each time we complete the cycle then the standard will change by a whole number, thus in three years time the standard will move to version 3.0."
Though there are no major changes, King noted that some of the evolving requirements in PCI-DSS 2.0 will require additional action. One such requirement in the 2.0 specification is the inclusion of a mechanism for ranking vulnerability related risk.
"The Council incorporated a risk-based approach into requirement 6.2, to ensure that procedures for identifying new vulnerabilities include assigning a risk ranking to those vulnerabilities," King said. "In recognition of this element, we've put sunrise on the requirement, providing those in the payment chain with additional time to implement this into their security programs. Until that time, it is considered a best practice and a recommendation."
Overall, King noted that it is safe to say that if a merchant has achieved compliance against version 1.2, then it should not be a stretch for them to meet version 2.0.
A key area of compliance clarity in the PCI-DSS 2.0 specification is in the use of virtualization technologies.
Sumedh Thakar, PCI solutions manager for security vendor Qualys, noted that with the PCI-DSS 1.2.1 specification there is a requirement to implement only one primary function per server, which led to some confusion for virtual machine usage. According to Thakar, it wasn't clear if the 1.2 specification permitted two virtual machines to run on the same physical server. The 2.0 specification clarifies the issue by allowing multiple virtual machines (VMs) on the same physical hardware, provided each VM is only performing one primary task.
"I think we will start to see virtualization become part of the cardholder data environment (CDE) architecture as this clarification will remove the fear and inhibitions merchants have had with being unable to prove compliance in a virtualized environment," Thakar told InternetNews.com.
With new confidence about the use of virtualization for PCI-DSS compliance, the 2.0 specification could also prove to be a major win for cloud vendors as well.
"I also feel cloud infrastructure providers will now start pushing their solutions for payment processing as a cheaper alternative to hosting your own hardware just to be PCI compliant," Thakar said. "This was definitely a mental barrier for merchants who didn't want to invest in something that could be rejected as PCI non-compliant."
Though the 2.0 specifications have clarified a sticking point for virtualization, Thakar commented that there are still a number of outstanding issues that need to be resolved. Ensuring that all images get patched and get scanned is one such area. According to Thakar, scanning and patching images in a dynamic virtual environment where images go up and down, can be a challenge.
"I think we will see further clarifications from the council in these areas which have not been addressed yet," Thakar said. "Emerging technologies like mobile payments, tokenization, end-to-end encryption have not been expressly addressed in PCI DSS 2.0 but the council had appointed a new CTO and is actively working on coming up with guidance for these issues."