PCI Compliance Regs Slated for Facelift in Oct. 08

Yesterday, May 14, the PCI Standards Council, the body that oversees the PCI DSS (Payment Card Industry Data Security Standard) announced the formal timeline for releasing Version 1.2 of the specification in October of this year. PCI DSS was last revised in September 2006 and is still one of the

Yesterday, May 14, the PCI Standards Council, the body that oversees the PCI DSS (Payment Card Industry Data Security Standard) announced the formal timeline for releasing Version 1.2 of the specification in October of this year.

PCI DSS was last revised in September 2006 and is still one of the most interesting security mandates in the IT industry. It is specific, it has no legal standing (i.e. it isn't mandated by legislation), and it carries clear and enforceable punishments for noncompliance.

Version 1.2 eliminates some overlap in various parts of the standard. What exactly is in 1.2 will be revealed at a Webcast that I'll be attending and reporting on that will take place May 22.

The standard tries to address the challenges of driving security into the previously unregulated consumer retail space where there is a high volume of relatively low-value transactions in which buyers and sellers can have no previous knowledge of each other.

One countervailing pressure has come into play to push back against implementing a really toothy PCI DSS. The banks and card issuers have thus far been successful in making sure that consumers bear identity recovery costs. So, while fraudulent charges are absorbed by the banks, the much higher cost of identity recovery is left in the hands of the victims. In fact, it's gotten bad enough that identity recovery has been turned into a product that is sold to consumers like insurance.

But countervailing tendencies are just that, factors that influence but don't controvert the main thrust of a trend. In this case, PCI DSS 1.2 is a clear recognition that vendors that accept credit card data must demonstrate some semblance of care when processing card data.

There are ways for IT managers to comply with PCI DSS today and when the revised standard is issued in October that minimize costs. Come hear my keynote address on compliance at the Ziff Davis Enterprise Virtual Tradeshow on June 24 to get my thoughts on what compliance means for a best-practice approach to supporting business processes with the best available technology.