PCI Compliance Thoughts for the New Year

With the new year around the corner, it's not too early for businesses to begin lining their compliance initiatives up with the new PCI 2.0 rules.

The onset of the new year will bring with it new compliance regulations.

The updated version of the Payment Card Industry Data Security Standard (PCI DSS) will go into effect Jan. 1. Though companies technically have until 2012 to implement any changes-validation against the previous version of the standard will be allowed until Dec. 31, 2011-it is not too early for organizations to be thinking about how they will be impacted (PDF) by the changes.

"The good news is that the PCI standard has matured quite well now, which is witnessed in the fact that this version mostly had clarifications and guidance," said Sumedh Thakar, vice president of engineering at Qualys. "This should make it easy for merchants to stay compliant even with the new standard."

But the revisions to the rules touch on a number of areas, such as logging, risk-based assessments of security vulnerabilities and project scoping, to determine all the places where cardholders' data resides-all of which could change how some businesses do things. Among the new requirements, Thakar noted, is to "give a risk rating to vulnerabilities found during internal scans and fix all vulnerabilities rated high."

"Merchants will have to put in place some sort of risk rating program that suits their environment by associating risk value to various assets," he said. "This will be ultimately good for the merchants. Instead of having to fix all vulnerabilities, they can prioritize and fix only the high values ones. However, it is something that will require the merchants to put some thoughts and efforts into."

The updated rules also offered some clarifications regarding virtualization, a hot topic for many companies.

"What we're hearing is that auditors and risk management offices have become much more aware of virtualization and are asking very pointed questions," said Renata Budko, co-founder and vice president of marketing at Hytrust. "Internal controls and audit definitely become hot topics as far as virtualization is concerned."

"Separation of duties, exhaustive logs, hypervisor hardening and local root password management are the areas that come up most often," she added. "There is also a lot of talk about making sure that the changes made today scale up with the introduction of cloud architecture in the near future."

The changes the PCI Security Standards Council has made around virtualization are really minor clarifications, Thakar said, meaning that the council does not view virtualization as too much of a special case.

"Whatever controls DSS mandates are still in effect, like firewalls and logs and scans, it's just the technology to do these things changes," he said. "My suggestion to merchants will be [to] make [the] best use of virtualization technologies but ensure that DSS requirements are followed in the spirit that the council intends them to be applied.

"The latest good news is that Amazon EC2 has declared themselves PCI DSS 2.0 compliant," he added. "We expect other IAAS [infrastructure-as-a-service] providers to do the same," he said. "This really opens up a lot of possibilities for merchants to move their PCI services into public or private clouds and still be PCI compliant, so we do expect a lot of merchants to take notice of this."

Any organization that has to comply with PCI 2.0 should revisit their governance, risk and compliance processes and ensure that they are streamlining their operations, said Torsten George, vice president of worldwide marketing at Agiliance.

"In this context, it is important not only to focus their attention on PCI assessment, but also cover the other phases that make up the PCI 2.0 compliance life cycle, namely scoping, assessment, remediation, certification and maintenance," he said.