PCI Compliance Changes Promote Log Management

The PCI Security Standards Council has updated the PCI DSS and PCI PA-DSS with a number of clarifications meant to help businesses improve compliance and security.

The PCI Security Standards Council officially unveiled updated versions of compliance regulations Oct. 28 with minor changes meant to clarify the requirements organizations face.

The revisions to the PCI DSS (Payment Card Industry Data Security Standard) and the PCI PA-DSS (Payment Card Industry Payment Application Data Security) are largely language changes and clarifications. The new versions will become effective Jan. 1.

"All of these changes are coming as a direct result of the feedback that we got, and I guess what they prove out is that the standard is basically maturing in that people are understanding it and adhering to it much better," said Bob Russo, general manager of the PCI Security Standards Council.

The key revisions cover areas such as log management and scoping the environment to understand where cardholders' data resides. There were also revisions meant to enable organizations to develop a risk-based assessment approach based on their specific business circumstances as well as changes designed to appeal to small merchants to simplify their compliance efforts.

"Some of the biggest changes...are in the small merchant area, [such as] simplifying the self-assessment questionnaire and the validation process for these guys," Russo said.

The council is pushing hard for centralized logging with both standards, he added.

"If you don't use a centralized logging facility then your guys have got to look in more places, and chances are if [they] have to look in more than one place...you'll wind up missing some of this stuff," he said, adding it is a "proven fact that every time we find a breach, it's always found in the log."

Validation against the previous versions of the standards (1.2.1) will be allowed until Dec. 31, 2011 in order to give organizations time to implement the latest changes. From Jan. 1, 2012 and moving forward, all assessments must be under version 2.0 of the standards.

"While most of the changes in PCI-DSS 2.0 clarify the existing requirements, some key areas are around encryption, application security, wireless and virtualization technologies," noted Mandeep Khera, CMO of Cenzic. "Changes related to application security including ranking of vulnerabilities according to risk and expanding the scope of vulnerability testing are critical, as these changes will help improve the Web security of online merchants... These changes will go a long way toward preventing credit card fraud, but we must make sure these guidelines are enforced."