Nov. 1, 2010
Due to come into full force in January 2011, multiple revisions of the PCI (Payment Card Industry)'s major
Internet security standards were published on Oct. 28th, following more than five months of complex
negotiations and at many levels.
Overall, the PCI DSS version 2.0 standard, which specifies the core security rules under which eCommerce
merchants and banks are supposed to process all credit card transactions, contain only minor revisions to
what is now a well-established set of minimum standards best practice in managing ecommerce operations
The revised guidelines call for a greater reliance on a risk-based approach for addressing security
vulnerabilities, rather than a broad "eyes shut" adherence to the letter of the basic law. The latest
version of the standard also brings together application and data security standard guidelines and attempts
to simplify the process of overall compliance for small merchants and eTailers.
Despite the many changes, Internet security experts all over the world maintain that the new PCI
standards still remain focussed mainly for small businesses.
And that is still a big problem that simply cannot be ignored. Small eCommerce merchants are still forced
in adopting the standards or accept higher card processing fees in general and tougher fines or, for
continual non-compliance, the complete withdrawal of their ability to take e-commerce payments.
The opinions of ecommerce merchants, eTailers, banks, payment processors and suppliers were fully taken into
consideration in developing the revised PCI DSS 2.0 standards, which tie together the Payment Card Industry
Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) standards.
Other measures include the increased support for a risk-based approach to security vulnerability
remediation and as well as an increased emphasis on an initial scoping of geo-physical locations where
cardholder data actually resides before applying the revised PCI regulations.
The PCI Security Standards Council characterises the changes as "relatively minor revisions" to a
"mature standard". The PCI Security Standards Council has also set up a micro-site designed to help small
merchants to reach compliance.
The overall promotion of more effective log management is also on the agenda, along with more detailed
standards for the secure coding of custom-built ecommerce applications.
But Stuart Okin, U.K. managing director of security consulting firm Comsec, said that "confusion reigns"
in the PCI marketplace. He says this is partly because interpretation of the newly revised PCI rules differ
in the U.S. and Europe but also because Visa and Mastercard are also out of sync, a point supported by other
industry observers and also by a few banks.
Gary Palgon, vice president of product management at tokenisation technology provider Nu Bridges,
criticized the card brands for continuing to use their "own, independent standards for PCI compliance"
instead of "conforming exclusively to PCI SSC-derived framework throughout the industry".
Palgon said "Having a universal, singular standards set is paramount for easing compliance requirements
and reducing complexity for ecommerce merchants and service providers alike."
Additionally, other vendors welcomed the recognition for the increased use of virtualisation and
cloud-based technologies in
revised standards. Sumedh Thakar, director of engineering at vulnerability assessment firm Qualys, welcomed
this attempt to align payment industry security standards with 21st century IT infrastructure realities.
Thakar says "The newly revised PCI standards weren't keeping pace with advances in technology today,
especially the use of virtualisation in a card holder data environment. The existing standards talk about
the notion of having 'One primary function per server'. In a virtualised environment, this becomes a problem
because the environment can be pretty dynamic and you could have virtual servers with different primary
functions, like Web servers, email servers and database servers, all on the same physical server which
would be a violation on the newly revised rules."
Rafe Pilling, PCI Consultant at SecureWorks, agreed that the approach to virtualisation in the e-commerce
regulations remains somewhat unclear and confusing at best.
Pilling said "Although there are no groundbreaking changes to PCI DSS 2.0, there still have been some
clarifications made to the standards and some developments on how companies using virtualisation must
comply with the PCI Data Security Standards (DSS).
Ecommerce merchants sometimes hold back on introducing virtualisation technology in their PCI environments
for fear of being deemed non-compliant, according to Qualys. The revised regulations remove that uncertainty
but are likely to have a knock-on effect on other requirements - such as firewalls, pen testing and performing
security vulnerability scans and that need to be factored into testing regimes.
"But companies looking for clear guidance on storing PCI and non-PCI systems in a virtualised environment
might be very disappointed, as the boundaries are not clearly defined and leave a lot to be desired."
The older, previous version (1.2.1) of the PCI DSS guidelines was released in July of last year. The
council has now settled on a three-year release cycle, which means that PCI DSS 3.0 can be expected in
October 2013 at the very latest.
Merchants have the choice of applying either version 1.2.1 or 2.0 throughout 2011 before the older
standard is phased out at the end of 2011 and version 2.0 becomes the only game in town for now.
Log management and regulatory compliance specialist Log Rhythm notes that many organizations have yet
to meet the PCI SSCís previous recommendations. A survey by Redshift Research back in March revealed that
only eleven per cent of U.K. organizations were PCI DSS compliant, an observation Log Rhythm holds true
even after Septemberís PCI compliance deadline for level one merchants.
"Some of the anticipated changes by the PCI SSC canít come too soon," said Ross Brewer, vice president
and division manager of international markets at Log Rhythm.
"Reports reveal some rather high rates of non-compliance, a fact often viewed as a reflection of the
lack of clarity which has negatively affected the standard in the past. Guidance on virtualisation and
the alignment between PCI DSS and the Payment Application Data Security Standard will also be welcome,
while the evolving requirement for centralised logging of payment transactions is a definite plus for the
ecommerce industry as a whole."
Brewer added that multiple complaints about the clarity of PCI DSS are nothing new and sit alongside
much broader compliance and security issues many companies face today.
This article was featured on Business 5.0.
Advertise on E-Commerce News
If you have a product or service that deals with the ecommerce
or ebusiness field, advertising on E-Commerce News can bring
you new sales leads and close new marketing channels. This news
portal is read by over 25,000 people a week.
Businessmen and woman that either own an ecommerce website, an
ebusiness franchise, a B2B commercial exchange or by people in all walks
of life that need to keep abreast of this fast-changing field. For
more information on the many advantages of advertising on our news
portal or to request pricing information, please send us an
and a marketing representative will be glad to answer you