PRINCETON, NJ - The recently released summary of proposed changes to the Payment Card Industry Data Security Standard (PCI DSS) has received mixed reviews from security experts, with some calling the PCI Security Standard Council's summary "a letdown," Bank Info Security reports.
"There's nothing earth shattering, and most of the 'hard work' that many are waiting for is still not done, and is being left to the special interest groups to figure out," said Avivah Litan, a security analyst for the Gartner Group.
That 'hard work,' Litan said, includes understanding the relationship between PCI compliance and implementation of Chip cards, point-to-point encryption, and how those rollouts can potentially limit the requirements of PCI audits.
According to Bob Russo, general manager of the PCI Security Standards Council, the proposed changes offer no new requirements, but clarifications and additional guidance on existing requirements. For some, though, there is still much left to interpretation.
"The overview of the changes is helpful for us to understand where the council is moving, but most of the change will be driven by interpretation of intent," said Branden Williams, Director of the Security Consulting Practice at RSA.
The summary of changes includes clarification that the card issuers or processors are allowed to store authentication data because of their legitimate business needs. However, Litan said what's missing there is enforcement or deadlines for PCI compliance at issuers or their processors.
"While the PCI standards council is not responsible for actually enforcing PCI (the card brands are)," Litan said, "this particular clarification highlights the unequal treatment across the card food chain, as all of the enforcement attention and deadlines are placed on the merchants, merchant acquirers, merchant processors and other card-accepting organizations - with no corresponding enforcement efforts or deadlines on the card-issuing side."
"NACS and PCATS have led the effort to reduce the ridiculously complex and unworkable certification process for small retailers." Said Gray Taylor, Executive Director of PCATS and Card Consultant to NACS. "Our proposal made to the PCI Council in March is reported to be incorporated in the new standards, and we are looking forward to full adoption of our proposal; along with the restaurant, grocery and general retail trade associations who endorsed it".
The full draft of the proposal is expected to be released next month.