The Payment Card Industry Security Standards Council releases a summary of feedback from the PCI community on the PCI Security Standards. The document highlights key themes coming out of the Council’s formal feedback period on version 2.0 of the PCI DSS and PA-DSS, in preparation for the next release of the standards in October 2013.
As part of the open standards development process for the PCI DSS and PA-DSS, the PCI Security Standards Council (PCI SSC) solicits input on the standards from its global stakeholders through a variety of avenues, including a formal feedback period. More than half the input received during the formal feedback period originated from organizations outside of the United States.
This industry feedback drives the on-going development of strong technical standards for the protection of cardholder data, providing more than 650 Participating Organizations, including merchants, banks, processors, hardware and software developers, Board of Advisors, point-of-sale vendors, and the assessment community the opportunity to play an active role in the improvement of global payment security. Payment security stakeholders can use the summary document to better understand the Council’s approach to reviewing and categorizing the feedback, key trends and themes, and how the feedback is being addressed.
The feedback was received by the Council across the following five categories:
- Request change to existing requirement/testing procedures (34%)
- Request for clarification (27%)
- Request for additional guidance (19%)
- Feedback only – no change requested (12%)
- Request for new requirement/testing procedure (7%)
Over 90% of the feedback was on the PCI DSS, the foundation for the Council’s standards, with more than half specific to the following topics:
- PCI DSS Requirement 11.2 – Suggestions include prescribing use of specific tools, requiring ASVs to perform internal scans, and defining what constitutes a “significant change”.
- PCI DSS Scope of Assessment – Suggestions for detailed guidance on scoping and segmentation.
- PCI DSS Requirement 12.8 – Suggestions include clarifying the terms “service provider” and “shared,” and providing more prescriptive requirements regarding written agreements that apply to service providers.
- PCI DSS SAQs – Suggestions for updating the SAQs; they are either too complex or not detailed enough.
- PCI DSS Requirement 3.4 – Suggestions for further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing & tokenization is not a convenient method to store and retrieve data
- PCI DSS Requirement 8.5 – Suggestions for updating password requirements, including expanding authentication beyond just passwords; current password requirements are either too strict or not strict enough, be either less prescriptive or more prescriptive.
These trends and other highlights are provided in the summary document, including main PA-DSS feedback themes, breakdowns of the types of organizations that participated and geographic regions represented.
“Industry feedback is the lifeblood of the PCI Standards,” said Bob Russo, general manager, PCI Security Standards Council. “As the PCI community continues to expand across industries and geographies, the Council relies on its expertise to drive the evolution of the standards. I want to personally thank all who have contributed to the on-going development of these critical resources for payment security.”