Recent PCI Security Standard Council's North American Community Meeting revealed PCI compliance changes. PCIHosting.com helps individuals and organizations prepare for the changes.
Online PR News – 01-October-2012 – Chicago, Illinois – New standards in PCI compliant services and clarifications of existing standards are set to bring the payment card industry up-to-date with the latest security threats. PCIHosting.com (http://www.pcihosting.com), a leading provider of industry news on PCI compliant Web hosting and dedicated servers, will be providing regular updates on its site as changes are announced.
The PCI Security Standard Council's North American Community Meeting, hosted in Orlando, Fla. from Sept. 12–14, met to engage the industry and discuss feedback received earlier in the year as part of its triennial standards lifecycle. Of the issues discussed, PCI DSS requirement 11.2 was at the top of the list, with many asking for clarification on definitions and suggestions on standardization of testing procedures.
"This was one of the main issues that needed to be clarified," says Terrance Howard, founder of PCIHosting.com, a leading provider of PCI compliant hosting. "There is a lot of confusion among many assessors and merchants as to what exactly constitutes a 'significant change' when it comes to changes in a network. More important, though, was the proposal to prescribe the use of specific tools for PCI DSS requirement 11.2. This will help standardize many of the scans currently used, and will help secure merchants who until now didn't have a way of verifying whether current scans were sufficient."
But PCI DSS 11.2 wasn't the only item on the agenda. Because of the diverse nature of the meeting's feedback participants, with more than half from outside of North America, the myriad issues included scope of assessment, requirement 12, SAQs and many other PCI DSS and PA-DSS topics.
In an interview with BankInfoSecurity, an industry media publication, council General Manager Bob Russo admitted there was some confusion about many of the existing standards that had to be clarified. "We found that the industry wanted more specific information about things like updates to password requirements and how those updates will help to enhance security," Russo said. "They wanted clarification about testing procedures and how to get adequate coverage."
The industry undergoes 36-month lifecycles that include eight stages, and feedback and reviews are simply two stages within that lifecycle that contribute to helping the industry stay current with the latest security threats, including those that target PCI compliant hosting providers.
"The review process is what allows our industry to adapt to new threats and make compliance easier," adds Mr. Howard. "It's also a critical step where we're able to present the concerns voiced by many of those whom we've consulted. We show people how to best implement PCI compliant hosting, and it's why we compile questions we've heard into constructive feedback that can help influence how the PCI Security Standards Council tackles many of these important issues."
Many of the changes discussed at the council will not be implemented until the beginning of next year as old standards are retired, which typically occurs on the last day of the year.