New PCI Lifecycle Gives Retailers A Way To Game The System

Written by Walter Conway
June 24th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

As we reported back in mid-April, the PCI Council has, this week, officially announced that the new versions of both PCI DSS and PA-DSS will move to three-year lifecycles. Because the PCI assessment cycle is only 12 months, this timing raises an interesting possibility for a retailer to game the system.

The change represents an increase of one year over the current two-year lifecycle. It should be good news for retailers and application developers alike. Changes to the standards will come less often, and there will be more time for comment on proposed changes.

This week’s release is the first in a series of announcements and research papers expected over the summer as the PCI Council rolls out its revised version of the PCI DSS in advance of the PCI Community Meeting in Orlando in September.

Looking at the new PCI DSS and PA-DSS lifecycles, there are no bombshells. Instead there are some interesting nuances for retail CIOs. For one thing, the sunset date for the old requirements is stretched out. Retailers also have more time to implement changes.

Under the current lifecycle, the revised standards would be published in October and became effective immediately. This timing is not very useful for retailers because it coincides with the fourth quarter freeze on system changes. It also means retailers have only six months (from January to June 2011) to implement the new standard. The new lifecycle, on the other hand, gives retailers a year.

The new three-year lifecycle means the present (version 1.2) DSS won’t be retired until December 2011. This change gives retailers as many as 15 months to implement and validate under the revised DSS. Because the PCI assessment cycle is only 12 months, this timing raises an interesting possibility for a retailer to game the system. A retailer could, for example, validate compliance against the outgoing 1.2 version of the DSS in the fourth quarter of 2010 and use that same version again in the fourth quarter of 2011, just beating its retirement date. The implication is that such a retailer would not have to validate against the new version until the fourth quarter of 2012.

This quirk of timing is more of a curiosity than a flaw resulting from the extended lifecycle. I don’t think anyone would recommend this strategy and, as a QSA, I would argue very strongly that retailers–for their own sake–comply with the latest version of PCI as soon as possible. Additionally, because no major changes are expected to the new version, I don’t think a retailer would gain very much by waiting.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.