Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



PCI DSS 2.0 Compliance Deadlines are Looming – Are you Ready?

In October 2010, Version 2.0 of the Payment Card Industry – Data Security Standard (affectionately called PCI-DSS) was released by the Security Standards Council and went into effect January 1, 2011. Most of the changes were focused on clarification of existing guidelines but could have an impact on the steps required to get PCI compliant.

In October 2010, Version 2.0 of the Payment Card Industry – Data Security Standard (affectionately called PCI-DSS) was released by the Security Standards Council and went into effect January 1, 2011. Most of the changes were focused on clarification of existing guidelines but could have an impact on the steps required to get PCI compliant. While Version 2.0 went into effect January 1, 2011, the PCI council was gracious enough to allow a grace period so any validation efforts completed in 2011 are allowed to use either version. Some of the changes have a longer grace period. Version 1.2.1 will be retired on December 31, 2011 so come 2012, all merchants who are required to be PCI-DSS Compliant will have to get their validation under provisions of PCI-DSS 2.0.

PCI Compliance DeadlinesBefore we look at the changes in PCI 2.0 that become mandatory in 2012, let’s look at fundamentals of PCI-DSS.

The Payment Card Industry Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. PCI standard is built around twelve key requirement categories:

PCI Data Security Compliance

Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0

Although most of the emphasis for compliance has been put on Level 1 and 2 merchants, various credit card companies are push the standard down to Level 3 and 4 merchants as well. For example, VISA requires compliance from all level merchants with some variations in requirements:

List PCI DSS Requirements by Level

Other card providers have slightly different requirements and deadlines.

Changes in Version 2.0

Advertisement. Scroll to continue reading.

Here are some of the key changes that were made in PCI-DSS 2.0:

• Requirement 1.3.8 – Do not disclose private IP addresses and routing information to unauthorized parties. Clarified with specific examples for methods of preventing IP address disclosure.

• Requirement 2.2.1 – Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Additional clarification was made for virtualization – Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

• Requirement 6.2 – Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Previously ranking wasn’t required. Most merchants have not been focusing on these and it’s an important distinction. Rankings should be based on industry best practices. The council gave an extra grace period for this change and this will become a requirement after June 30th, 2012.

• Requirement 6.5 – Instead of just using OWASP Top 10 as the benchmark, the council clarified that as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these. In Section 6.5.6 was changed to clarify that all the “High” vulnerabilities identified in Requirement 6.2 must be fixed.

• Requirement 11.1 – Processes should be in place to detect unauthorized wireless access points on a quarterly basis. Provided flexibility in terms of methods used for detection. • Requirement 12.1.2 – Risk assessment methodologies should be documented. Changes also included examples – Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.

• Requirement 12.6.1 – For security awareness program – broadened the scope so it says “personnel” vs. “employees”. Also defines various methods to be used depending on the role of personnel.

• Requirement 12.8.4 – Clarified that “entity” instead of “entity assessed” maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.

In addition to the above, there are a lot of minor clarifications of the existing requirements. Some of the clarifications can be important too. For example, one major clarification has to do with the primary account number (PAN) on a credit card. If you store an account number it must be rendered unreadable.

Be sure to verify that you are meeting all the requirements appropriately and consult with your acquirer for additional clarifications.

There’s limited time left for PCI DSS 2.0 compliance timeline. Some of these changes require time so do not procrastinate and start working toward these goals now. While getting compliant with PCI DSS like any other regulations is important, remember, this is just a means to the end and not the end itself. The ultimate goal is to get your infrastructure secure so you can protect your customer and employee data from hackers. Focus on security first and compliance will follow automatically. Getting a checkbox for compliance can get you in trouble. Compliance doesn’t necessarily mean security. Strong security should usually result in compliance. Stay secure.

Related Content: Embracing Mobile Payments? You Might Not Be Compliant

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...