Aug 12 2010
This morning the PCI Council released the Summary of Changes for PCI 2.0. And to be brutally honest, so far I’m completely underwhelmed. Obviously we don’t have the details on what the changes actually are, but the high level view of them makes it sound like there are almost no significant changes. Strike that: there are no significant changes at all. There is some clarification and some mention of virtualization, but I was hoping for more. I wasn’t expecting much more, but I was hoping.
I got to talk to Bob Russo from the PCI Council in July, and he’d hinted at the level of change. And maybe I’m just not realistic in asking for major changes. Despite the fact that PCI has been around for a while now, there are still a lot of merchants and service providers who have issues complying. It may be that the realistic thing for the Council to do is continue to build support and compliance with what they have now, rather than pushing to increase security by making major changes. Sometimes it is better to accept minor changes you know you can enforce than to try for something grander that you’ll never attain.
I’m hoping to get another chance to talk to Mr. Russo. I’ve asked nicely, really I have. I’d like to understand why this is the sum total of changes they’re making before switching to a three year lifecycle. I’m not sure I’ll like the answers, but I still want to hear them directly from the man who’s in charge of the group setting and managing the PCI Standards. Obviously, my approval is not necessary, but as one of the people who helps enforce the PCI Data Security Standards, I want to understand the reasoning.