Pritam Bankar, CISA, CISM and Sharad Verma
On 28 October 2010, the PCI Security Standards Council released version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. The standard provides controls and guidelines to secure cardholder data that are stored, processed or transmitted by merchants and other organizations.
This article is intended to showcase the changes made to PCI DSS v2.0 over v1.2 to further assist with detailed understanding of the control requirements to facilitate the PCI compliance process. Version 2.0 may bring more opportunities and flexibilities in PCI operations and cost reductions for organizations.
The revised standard provides additional guidance and minor clarifications. The changes fall mainly into three categories:
Details of the differences from PCI DSS v1.2 to v2.0 are outlined in figure 1.
Even though there are no major changes, this version was much needed to provide the clarifications and justifications for the existing control requirements. IT and security teams will have to make best assumptions and judgment while implementing and complying with PCI controls.
Although it is encouraged to use v2.0 immediately, v1.2 will remain effective until 31 December 2011 to allow merchants to adopt any necessary changes in order to maintain their PCI DSS-compliance status. PCI DSS operates on a three-year life cycle, which means that it will take at least another three years for a new version to be released. Until then, organizations have time to focus on and implement the processes and controls to secure cardholder data and comply with PCI DSS v2.0.
Pritam Bankar, CISA, CISMis a senior consultant within the Infrastructure Management Services group of Infosys Technologies Ltd. He has more than seven years of experience and has led several IT strategy consulting engagements in the areas of information security, IT/IS audits, compliance and regulations, and IT governance.
Sharad Vermais a consultant with Infosys Technologies Ltd. and has more than three years of diversified experience across various domains. He has worked in capability development for the Payment Card Industry Data Security Standard [PCI DSS] and has designed a (PCI DSS) framework for Infosys. He has expertise in the security domain and has experience in implementing IS0 27001.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.