Friday, August 20, 2010

PCI Changes – Why technology specific standards may not be the best direction


As I read the summary of changes and had a few different discussions regarding the newly unveiled PCI DSS changes that are expected to appear in the upcoming release of version 2.0 I figured I would throw something together to inspire some of my personal insight.


As industry experts we all agree that the new updates are much needed and I’m glad to see some much needed clarity presented in these new updates, some examples of these clarifications are for instance the inclusion of guidance around virtualization, finally encouraging a risk based approach for addressing vulnerabilities and centralized logging. My concern comes in the news around the exclusion of any specific references to emerging technologies to protect cardholder data, such as tokenization, chip-and-PIN and end to end encryption.


In my opinion as security professionals we need not lose sight of the fact that standards such as PCI DSS are set forth to help us in identify the scope and required minimum level of security to attain any such accreditation. This is why I think it is fully appropriate that specific emerging technologies be excluded from the payment security guidelines. As we all familiarly know emerging technologies and trends change as often as threat landscape itself and with this in mind the standards provide us with the scope and minimum required security; how this minimum level is attained is and should be left to the experts and their independent environments.