The PCI-DSS (Payment Card Industry Data Security Standard) standards, the set of requirements for the enhancement of payment data security that all credit card processors must follow, is scheduled for a revision in October 2010 (the current version is 1.2 and the new one will most likely be named the 2.0 version). Although there won’t be any official announcement until October on the proposed changes to be made to PCI DSS requirements, presentations in various trade shows indicate that the changes will be evolutionary, not drastic.
PCI officials have indicated that while there won’t be any new major requirements, several existing requirements will be clarified. The main areas where the revised PCI-DSS standards may be modified include a better definition of the network segmentation requirement, which is the demarcation of credit card holder data from the rest of your system. While you’re of course, required to protect cardholder data now, there’s no requirement currently for you to search for data on all your systems, not just those where your process the credit card numbers. Apparently that’ll change come October – you’ll need to institute a formal data discovery mechanism as one of the key steps in complying with PCI-DSS. While data discovery was often paid lip service, most companies don’t have a formal data discovery system in place. For larger enterprises especially, automated security and vulnerability assessment tools become an almost necessary requirement, in order to perform a viable and valid data discovery exercise.
Merchants will have until the beginning of October 2011, a full year after the announcement of the changes, to fall in line with the additional/modified requirements, meaning that auditors must apply the current PCI-DSS 1.2 version requirements in their assessments until October 1011.