No major changes to PCI DSS in 2010, but watch for chip and pin in the future
Bob Russo, the General Manager of the PCI Standards Council was interviewed by Rob Westervelt of Search Security the other day. The good news for those of you who are still trying to catch up with the last revisions to the regulations, is that there are no major changes coming down the pike for this year.
A draft of the new DSS will be out in May and should be finalized by October. According to Russo, rather than introduce anything new into the mix, it will have more guidance and explanation around the existing provisions. This really is good news for merchants who are still grasping the implications of PCIDSS in the first place. With something like 6 million Level 4 merchants out there, changing the PCIDSS has major implications. I am glad to see the council taking its time and being cognizant of this.
Lets give the merchants a chance to get compliant with what is out there before we start shoving more regulation down the gullet. But Russo did outline what he thinks are areas we will see change in the longer term future. The Search Security article said this:
“Encryption, virtualization and the use of more secure payment terminals are expected to gain more attention. Those topics have been the focus of several special interest groups managed by PCI SSC and a study of emerging technologies to help shape future versions of the standard, Russo said. The organization is also ruminating Chip and PIN technology, though no PCI DSS revisions are anticipated on the issue in 2010.”
The encryption angle has become the poster child of Heartland CEO Robert Carr. While encryption is certainly on the radar, Russo explained some of the challenges around the “end to end encryption” that Carr and others are touting. We would all like to see encryption, but I think Russo is right that we have to be careful about the burden it puts on both merchants, processors and equipment makers.
The Chip and Pin technology is something I think we will see coming on very big in the years to come. The rest of the world already uses this extensively. Instead of storing data on the mag strip, data is stored on an onboard chip on the card. A 4 digit PIN is required to access and use the card. No, its not perfect, but better I think than mag strips.
In any event, the signal from Russo is clear. Don’t worry for now about new regulations coming down the pike. Lets concentrate on making sure what is already contained in the PCI DSS is followed!!
