PCI Council revisits payment security standards

The PCI Council wants to improve protection when using payment cards

The PCI Security Standards Council is preparing changes to the rules governing payment cards, although no new requirements will be made of the market.

In a new paper (PDF) the data protection and security group discussed the challenges involved in securing payments, and talked up the revisions planned in the next versions of the Payment Card Industry Data Security Standard (PCII DSS) and the Payment Application Data Security Standard (PA DSS).

Changes to the standards, which also cover PIN security, are slated to appear in October, and the Council said that it is preparing users and vendors prior to the launch.

The changes have been agreed by a number of interested parties, including vendors, banks and merchants. Specifically, the Council said, it hoped to " improve the flexibility of organisations to implement controls, better manage evolving threats and address scoping and reporting elements".

The modifications have been designed to harmonise both standards and facilitate stronger security practices, the group said.

They do not force any new requirements on the market, the Council explained, but rather give it a clearer understanding of its responsibilities and make it easier for parties to assess and prioritise vulnerabilities in systems.

"The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive card data," said Bob Russo, general manager of the PCI Security Standards Council, in a statement.

"With the changes to the PCI DSS and PA-DSS outlined in advance, organisations will be better prepared to align their security programmes with the updated standards and ensure security of their cardholder data."

In order to further guide these interested parties through the changes, the Council will hold a number of stakeholder meetings in which it will seek to ease their path.

"The Council continues to promote active participation in the development of the standards," said Michael Reidenbach, executive vice president and worldwide chief information officer at Global Payments, and member of the PCI SSC board of advisors.

"The summary of changes not only gives stakeholders the information they need to plan for the updated standards, but encourages industry involvement in shaping payment card security."

The updated standards will come into affect on 1 January.