Aug 12 2010

PCI 2.0 Summary of Changes

Published by at 1:14 pm under PCI

This morning the PCI Council released the Summary of Changes for PCI 2.0.  And to be brutally honest, so far I’m completely underwhelmed.  Obviously we don’t have the details on what the changes actually are, but the high level view of them makes it sound like there are almost no significant changes.  Strike that: there are no significant changes at all.  There is some clarification and some mention of virtualization, but I was hoping for more.  I wasn’t expecting much more, but I was hoping.

I got to talk to Bob Russo from the PCI Council in July, and he’d hinted at the level of change.  And maybe I’m just not realistic in asking for major changes.  Despite the fact that PCI has been around for a while now, there are still a lot of merchants and service providers who have issues complying.  It may be that the realistic thing for the Council to do is continue to build support and compliance with what they have now, rather than pushing to increase security by making major changes.  Sometimes it is better to accept minor changes you know you can enforce than to try for something grander that you’ll never attain.

I’m hoping to get another chance to talk to Mr. Russo.  I’ve asked nicely, really I have.  I’d like to understand why this is the sum total of changes they’re making before switching to a three year lifecycle.  I’m not sure I’ll like the answers, but I still want to hear them directly from the man who’s in charge of the group setting and managing the PCI Standards.  Obviously, my approval is not necessary, but as one of the people who helps enforce the PCI Data Security Standards, I want to understand the reasoning.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “PCI 2.0 Summary of Changes”

  1. spivon 13 Aug 2010 at 6:44 am

    Living in hope and what actually happens in reality as you know are often two completely different things, or maybe I am just a hardened cynic!

    PCI despite its failings, apathy amongst merchants, for those still in denial is here to stay. As a security directive if that is the right word it doesnt go far enough and like we all know if you are just looking for the tick in the box and don’t care about security then or dont have the time then hey presto you can be pci compliant along with all your compensating controls..

%d bloggers like this: