The newest updates to the PCI Data Security Standard and the Payment Application Data Security Standard consist mostly of clarifications and additional guidance, says Bob Russo, general manager of the Payment Card Industry Security Standards Council that oversees the standards.
“The aim is to get more clarity,” Russo tells PaymentsSource. “There are no additional requirements this time around.”
The changes include improved definitions of the secure boundaries between a merchant’s Internet connection and the cardholder data, recognizing that issuers have a legitimate need to store sensitive authentication data. The changes also enable merchants to rank and prioritize security vulnerabilities.
The ranking and prioritizing change gives merchants better control, he says. “Merchants can decide for themselves what’s really important and what can wait to later to be fixed,” Russo says.
The Wakefield, Mass.-based council drafted the updates by gathering some 900 comments from members of the payments industry, including merchants. About half of the comments came from outside the United States, Russo says.
A summary of the changes to the two standards—one covers all types of electronic payments made with cards and the other, PA-DSS, is specific to payment software—is available now. The council will release the full standards in September in order for attendees at two conferences the council is holding this fall to have to time to study them, Russo says.
The standards will be officially announced Oct. 28 and will become effective on Jan. 1, 2011.
Russo says the council also is considering issuing guidance later this year on emerging technologies, such as tokenization and advanced encryption.
What do you think about this? Send us your feedback. Click Here.