By this Halloween, the PCI Council will unveil the first major revision of PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering "Trick or Treat?"Our take:
Robert Russo, the general manager of the PCI Council and a man who never met an acronym he didn't like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as "minor changes."
"We happen to think that the standard is pretty damn good the way it is right now," Russo said. "It goes to the feedback that we've been getting. It's as good as it is without needing to make a major overhaul."
That said, Russo stressed that the new tweaks they are making will be mostly in three key areas: wireless; application security: and penetration testing.
Some of the changes will involve clarifications on requirements and "there will be some things about the reports and what we are looking for in the reports." In wireless, for example, Russo said current wording about WPA and WPA2 and WEP—which suggests that networks need to use both—will be changed, but he couldn't say what it will be changed to.
PCI compliance continues to be a tricky act to master, especially for large retailers with massive investments in decades-old point-of-sale and data warehousing technology. That having been said, though, it's a huge step in the right direction for many of these same companies, since they sometimes tend to have less-than-optimal security practices and procedures in place.
WireSpring spends a good amount of time keeping our systems compliant and our apps up-to-date with PABP specifications, so we're hoping that the new spec won't be too far away from the current one in terms of implementation requierments and best practices. One trend we've seen so far is an increase in retailer suspicion towards kiosks, digital signs or any other devices installed inside their networks that need to communicate with the outside world, and we suspect that much of this newfound skepticism is likely due to the difficulties with getting -- and keeping -- these large networks in compliance.