Analysts: Changes to PCI rules help the measure

Last week's enhancements to the Payment Card Industry Data Security Standard and the creation of a new company for managing the standard should help alleviate some core issues related to its adoption, analysts said.

The PCI standard is a set of 12 security requirements that all entities handling credit cards were expected to have in place by June 2005. The standards call for, among other things, the encryption of cardholder data, periodic network vulnerability scans, logical and physical access controls, and activity monitoring and logging. The requirements are being promoted by all of the major payment brands, including American Express, Visa International, MasterCard Worldwide, Discover Financial Services and Japan Credit Bureau.

Last week, the companies released Version 1.1 of the standard, featuring some expected changes. They also announced the creation of the PCI Security Standards Council, a company that will be responsible for developing and maintaining the standards.

Both moves have been expected for some time now, said Khalid Kark, an analyst at Forrester Research. Even so, the announcements should help drive broad adoption of the standard, he said.

One of the most significant changes in the new version is the allowance for companies to put in compensating controls in cases where they are unable to implement a prescribed requirement because of technical or cost reasons. For instance, firms that find it difficult to encrypt stored cardholder data will no longer be absolutely obligated to put that specific control in place -- as long as they can verifiably demonstrate other equally good measures for mitigating risk to the data, said Seana Pitt, chairwoman of the new company.

As long as companies can demonstrate to a PCI auditor that they are meeting "the end goal of protecting the data" via compensating controls, they will be considered in compliance with PCI requirements she said.

The flexibility is especially crucial when it comes to the encryption requirement, because many large companies have been struggling with that issue, said Avivah Litan, an analyst at Gartner. "What this means is that companies can relax a bit about encryption, though it is not asking them to quit" entirely, she said.

"I think most of the problems implementing the previous version of the standard was around this issue of database-field-level encryption," said Amichai Shulman, chief technology officer at Imperva, a security vendor. "I think this makes it more practical to implement the requirements of this standard."

The release of Version 1.1 of the PCI standard is also likely to clear up confusion that may have existed regarding the acceptability of compensating controls, Litan said. "They have never recognized [the use of compensating controls] in writing. Everyone knew you could have compensating controls when you worked with a PCI assessor, but it was never acknowledged officially."

Also significant are new rules that require companies to put controls in place for better securing their application software against online threats, Shulman said. Companies are required to install the latest software patches, help identify new vulnerabilities, do application code reviews and help protect against specific Web security threats. Such measures are crucial to ensuring the integrity of the application environment, he said.

Meanwhile, the newly created PCI Council will focus on spreading awareness about data security and soliciting feedback on how to develop the standard further, Pitt said. "We are reaching out to merchants and processors to get them involved in the next standard," Pitt said. "We have heard from the market that they have no voice. This will give them that voice."

The newly created entity will also have oversight of the training and certification of auditors and vulnerability-scanning vendors across all of the payment brands, Pitt said. The idea is to have a standard certification process instead of letting each payment brand be responsible for certifying PCI auditors and scanners, she said.

The changes are a step in the right direction, Litan said. But they would have been more effective if the newly created PCI Council had also been vested with the authority to oversee and enforce compliance, she noted. As it is, each of the payment brands will continue to apply its own slightly differing enforcement approaches to PCI, thereby raising complexity for covered entities.