Vulnerabilities / Threats

05:07 PM
Connect Directly

A Peek At The Next Version Of PCI

Clarifications but no big changes -- and that's what concerns some security experts

The next version of the Payment Card Industry Data Security Standard (PCI DSS) won't feature any major changes, giving merchants a little breathing room in their efforts to meet the requirements for securing cardholder data. Instead, the specification, as well as its companion Payment Application Data Security Standard (PA-DSS), will feature more clarification than change.

The PCI Standards Council today released a summary of what's to come in late October, when the next major releases of PCI DSS and PA-DSS arrive, versions 2.0. Bob Russo, general manager of the PCI Standards Council, says the idea is to highlight what's coming up in the next version so merchants will have time to prepare. "We're trying to take as much pressure off of merchants, giving them as much time as possible to look at what's out there," Russo says. And part of that is clarifying the scope of the specs, he says.

Among the clarifications to PCI: The DSS now reinforces the need for merchants to use a "discovery methodology" to find cardholder data in their networks; the PA-DSS now includes centralized logging; and organizations will be able to consider specific risks apply to them when assessing and prioritizing vulnerabilities.

Russo says the clarifications are all based on input from the PCI community and don't represent any big changes to the specifications. "If you are compliant with 1.2, you shouldn't find it difficult to comply with 2.0," he says.

The changes and clarifications are more about the administration of the PCI compliance process, notes Joshua Corman, research director for the enterprise security practice at The 451 Group. He says the PCI Standards Council is grappling with striking a balance between its goal as a standard for securing cardholder data with the realities of implementation by the merchant and vendor communities. "This gives more lead time to the folks being audited, but none of this is about doing a better job of preventing breaches. It's more about the administration of the [PCI] process," Corman says.

Corman says PCI version 2.0 needs more teeth. "The standard in its current 1.2 and 2.0 forms is not sufficient to prevent attack from a determined adversary," he says.

Gary Palgon, lead chair for the PCI SSC Scoping Special Interest Group's tokenization working group, said in href="" target="new">a blog post today that the card brands themselves may be hindering PCI's success. "One critical area hindering industrywide standards adoption lies with the card brands themselves, as some continue to issue their own, independent standards for PCI compliance instead of conforming exclusively to PCI SSC-derived standards," he wrote. "Having a universal, singular standards set is paramount for easing compliancy requirements and reducing complexity for merchants and service providers alike."

Palgon says that while the new PCI changes clarify many of the PCI requirements, more specific guidance is needed for emerging technologies, such as encryption and tokenization -- both of which are due to arrive with the new spec this fall. "Overall, the industry is heading in the right direction, as the soon-to-be-released 2.0 versions of PCI DSS and PA-DSS demonstrate, but a more cooperative, aggressive approach is required for ensuring enterprise security standards in a timely manner," blogged Palgon, who is also vice president of product management at nuBridges, a tokenization vendor.

Meanwhile, the PCI Council's Russo says PCI DSS now reinforces the need for having a "scoping exercise" to find bundled cardholder data. "We're not endorsing any discovery tools. But before you bring in a QSA, you really need to use some kind of methodology to find where cardholder data is on the network," he says. "Before, we hadn't really talked about using any of these methodologies. We just said you should know where your data is. We are now encouraging people to reach out using one of these discovery methods."

The PA-DSS is also now more closely aligned with the PCI DSS, he says. The spec adds a requirement for payment applications to support centralized logging, which is part of PCI DSS, he notes. "Centralized logging is really important to us," Russo says.

Risk tolerance is now being encouraged in the PCI DSS: "We made it more of a risk-based approach so merchants can make decisions on their own on a vulnerability that might show up -- if their risk tolerance for a vuln is very low, then they can work in conjunction with the QSA" they don't necessarily have to address it if it's a low-risk problem, he says.

Another clarification addresses PCI DSS 3.3 and 3.4, which require that payment application passwords be made unreadable (encrypted) while being transmitted and stored. The clarification notes that this applies only to the primary account number (PAN).

The full description of changes and clarifications to PCI DSS 2.0 and PA-DSS 2.0 is here (PDF). The PCI Standards Council will hold meetings in Orlando and Barcelona prior to publishing the final standard on Oct. 28, where the community can discuss the proposed changes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.