The process of merchant achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is something of a “rock road,” according to a feature article in this month’s SC Magazine. While the article’s main point argues the updated Standard released over a year ago brought additional clarity to the DSS, the current version is still too vague.
Security assessors and other vendors quoted in the article imply the guidance may be loose enough for merchants to align with assessors willing to validate compliance using lax criteria, effectively rubber-stamping merchants as compliant when they are not fully secure.
From the article:
Speaking to SC Magazine, Laurie Coffin, vice president of marketing at Quarri, says that because PCI DSS “just has guidelines and you have to figure out what they mean”, its interpretative format differentiates it from the code of other regulatory bodies.
“It depends how you interpret it and what auditor you end up with; they could be checking boxes,” says Coffin. “The guidelines detail firewalls and encryption, but the rest is about best practice. It is not like other regulations – achieving compliance depends on your auditor.”
Another passage details the changes that PCI DSS version 2.0 brought to the card data security landscape:
In short, PCI DSS 2.0 provides requirements and guidelines on how to store, process or transmit card data electronically. The key changes include the requirement of merchants to carry out a risk-based vulnerability assessment, while applications involved with credit card data – such as card readers, online shopping baskets and mobile payment systems – must undergo a lengthy and complex code review to uncover any security issues.
Also added is the requirement for tokenisation, to include an extra layer of security. For merchants, this reduces the scope of the PCI DSS assessment, as it uses random numbers and letters instead of storing highly sensitive primary account numbers. Specifically, it minimises risks and decreases PCI audit costs, as tokens are only stored on one secure external server, rather than having multiple parts within the payment chain.
The lengthy article hints a third version of the DSS may be in the offing sooner rather than later. The piece also contains commentary on the virtues of Level 1 compliance for payment providers, defines managed security service providers (MSSPs), and addresses the changing nature of scope determination, among other points.
