Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr

PCI SSC has pre-announced the summary of changes for expected PCI 2.0 in October 2010. Based on summary report most of the changes are clarification or guidance.

According to Bob Russo, general manager of the PCI Security Standards Council.

“This version is 2.0, and the connotation is that there will be major changes, but that isn’t the case,” he told CSNews Online in a telephone interview. Most of the changes are “clarifications” such as combining requirements 10 and 11 for the PA-DSS (Payment Application Data Security Standard), which the council found redundant.

“The standard is pretty strong at this point and is maturing, so there are no major changes this time around,” Russo said in the interview. “Basically we are releasing clarifications and explanations on how to comply further down the line.”

Time will tell if PCI SSC will allow organizations to pick controls based on their enviroment or risk appetite during risk management. Basically most of the industry icluding some government agencies are following risk based approach to address secrity risks. Instead of saying Yes at each control, SSC should give small organization some flexibility to pick contols which fits their needs, we might see higher rate of compliance in small to medium size businesses. Also risk based approch will help larger organizations to tie up PCI DSS to their existing security management system.

Remember PCI DSS still addresses the cardholder data infrastructure of an organization. Let’s hope the future versions will involve some guidance for small to medium size companies how to address risks outside the scope of PCI DSS.

Summary of changes for PCI DSS 2.0