Version 2.0 of PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) went into effect as of January 1, 2011. While there were 132 changes with v.2.0, there were only two new “evolving requirements” or PCI speak for a new requirement implemented to “ensure that the standards are up to date with emerging threats and changes in the market.”
Those two new evolving requirements include: 1. expanding the examination of vulnerabilities to include the ranking of vulnerabilities based on individual business risk (PCI-DSS 6.2) and 2. the addition of a requirement for payment applications to support centralized logging (PA-DSS 4.4).
To comply with PCI 6.2, companies must establish a process by which they can identify and assign a “risk ranking” to any newly discovered security vulnerabilities. PCI recommends that risk ranking should be based on industry best practices. In addition to the new process, to comply, companies must include interviews with responsible personnel to ensure that the new process is actually indentifying new security vulnerabilities, that the process is actually assigning a risk ranking to the vulnerabilities and lastly, verification that the process for identifying new security vulnerabilities includes referencing outside sources.
Additionally, PA-DSS 4.4 requires that a company’s payment application must facilitate a merchant’s ability to assimilate logs into their centralized log server. To comply, companies must ensure that their payment system can meet the requirement and examine the PA-DSS Implementation Guide prepared by the vendor to verify that users are provided with instructions and procedures on how to accomplish the first requirement.
Both of these evolving guidelines are considered best practice until June 30, 2012. After which, they are considered requirements.
So, if your job is to ensure PCI compliance at your company, what do these changes mean for your organization? If your company already has a robust compliance program in place, your existing program will likely not change much, if at all. The reason? These two new requirements simply codify existing compliance program best practices.
With PCI 6.2, compliance with this new requirement is an extension of a standard compliance program best practice which simply is to ask the people who know for their input.
In so many compliance programs, there is a focus on complying with the letter of the requirements, often to the detriment of asking simple questions to the people who have the knowledge. Some of those questions are: “Is this process actually doing what we intend it to do?” “Are we looking for the right problems?” “What are the unique risks in our business?” and “Have we benchmarked our process with others in our industry?” If you have a robust PCI compliance program, you were probably already asking these questions and benchmarking your program before this new requirement went into effect.
Similarly, PA-DSS 4.4 also requires companies to do work that a robust compliance program would already be doing. That is ensuring that the vendors and the products you chose for your compliance program meet your needs not just today, but are innovative and forward-thinking enough to address your compliance needs in the future.
So, how do you choose such vendors and products? When you are doing your due diligence to select your vendor and products, look beyond just your immediate needs. Look at the company. Do they have a history of innovation? Do they hold important and relevant patents in the technology? Are they leaders in the industry? Ask to understand their philosophy and view of the world.
These are often overlooked factors when evaluating a vendor or a product. Typically, you are looking to solve a problem and only focus on what can be done today while ignoring what you might need tomorrow. However, once you have chosen your vendor and product, you want this to be a growing and expanding partnership, not just a one time purchase that you might have to rip and replace a few years down the line.
In compliance programs, it is often said that utilizing best practices will achieve better results. If you are already following compliance best practices, the new PCI-DSS and PA-DSS requirements should be very easy to implement.
**********
About the Author
Barbara Rogan joined LogLogic, Inc. in April 2008 and is responsible for the company’s legal needs. Rogan previously served as Senior Corporate Counsel at Brocade Communications where she supported the Services and Support business unit’s legal needs.
For more information, visit Ms. Rogan’s authors page.
PDF 
