This is page 2 of:
New PCI Lifecycle Gives Retailers A Way To Game The System
A clear benefit of the three-year lifecycle is that it allows much more time for comments from retailers, their associations, processors and system developers, including two Community Meetings, between expected revisions to the standards. If you haven’t attended one of these meetings (I’ve been to each of the past three), let me tell you they are reason enough to justify becoming a Participating Organization.
The Community Meetings offer unique opportunities for direct and often quite blunt feedback to the Council and the card brands. The communication isn’t all one-way. I can’t think of another standard that both announces sunset dates for current requirements and allows for active feedback from those impacted by the standard. The new lifecycle provides almost one year for draft revisions to the standards to be prepared and discussed. This change is a great improvement over today’s three- to five-month review period.
This longer PCI lifecycle represents a maturing of the standard. It also refutes the arguments, which have always been unfair, that PCI is a moving target. The standard itself has barely changed in the past couple of years. For example, the one change taking effect now is banning WEP to protect your wireless networks. And that long overdue change has been two years in coming. What has evolved, though, is the threat landscape, which has led to clarification and maybe some different interpretation by QSAs of what does or does not meet the intent of a particular requirement.
Lest anyone–especially the bad guys–assume that this lifecycle change means PCI is cast in concrete for the entire three years, the Council has explicitly reserved the option to implement what it calls “mid-lifecycle changes” to address new threat vectors or gaps in the standards.
For now, this week’s announcement is good news. But there is bigger news to come. We can expect more announcements concerning changes to both PCI DSS and PA-DSS over the next two months. We can also expect to see reports on emerging technologies (encryption, tokenization and virtualization), clarifying their roles in achieving and maintaining compliance. Bob Russo, general manager of the PCI Council, has promised to release details on changes as they are finalized. Although some of us expected to have seen more details on expected changes by now, the current announcement is a good start. I anticipate additional details in the coming weeks.
Two bits of PCI trivia are emerging. The first is that the Council will release information to Participating Organizations (and I hope QSAs, too) on the revised DSS over the summer and that they will present the changes at the Community Meeting. Nothing will be released publicly until October, when the revised DSS is published. This gives you another reason to join the Council and be in Orlando.
The other tidbit is that it looks like each three years the revised standard will be a “.0” version. That is, I expect October to see PCI DSS version 2.0 with updated version numbers reflecting errata and/or emerging threats to be tagged with a .1 or a .2.
What do you think about the new lifecycle? Will it help you plan and budget your implementation? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
