Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

PCI DSS 2.0 – What is a merchant to do?

November 2, 2010 | 1comment | Encryption, PCI Compliance, Tokenization

Written by: admin

By Sue Zloth

Drum roll please…in case you missed it, the new PCI Data Security Standard 2.0 (PCI DSS) and the Payment Application Data Security Standard 2.0 (PA-DSS) were released by the PCI Security Standards Council late last week.

The Council released the latest version to provide “greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants” according to the announcement.  Version 2.0 will become effective for merchants on January 1, 2011.

So, with the new standards in place, now what?

  • Should merchants continue their current efforts in becoming PCI DSS compliant under v1.2?
  • Do merchants need to stop their efforts to focus on becoming compliant under PCI DSS v 2.0 in preparation for the New Year?
  • Will the “validation” documents on encryption and tokenization require additional changes?

Luckily for merchants, version 2.0 doesn’t introduce any new major requirements and most of the changes are geared towards clarification of the existing requirements.  Moreover, for merchants who are well down the path of complying with v.1.2 they are not required to restart their efforts and comply immediately with the new standard since the old 1.2 standard is valid until December 31, 2011.  However, if a merchant hasn’t started yet, they should look to achieve compliance against the 2.0 spec (it is valid now for merchants).

Regarding point-to-point encryption and tokenization, the Council is simply offering guidance.  Last month they released guidance on P2PE and before the end of the year, guidance on tokenization will be released from the Special Interest Group (SIG) that I sit on.  We don’t expect that merchants will have to comply with any additional requirements, although once all of the documents are released, merchants will need to make sure that their providers comply with the P2PE and tokenization requirements.

The Council understands that merchants need more clarity regarding the standards and small merchants, in particular, are struggling to ensure compliance with limited resources and knowledge. In fact, just this past week Troy Leach, the Council’s CTO, was sitting on a panel next to our CTO, Dan Lane, at an industry conference.  He highlighted the changes and discussed how the Council will be taking proactive steps to ensure merchants have the tools needed to understand exactly what is going to be required of them.

Related content:

  1. Making the Right Choice: Are Security and Compliance Competing Goals?
  2. Just When You Thought It Was Safe to Swipe Customer’s Your Credit Card
  3. PCI Community Meetings and Guidance
  4. Now That Was Easy!
  5. PCI Community Meeting: What Comes Next?
Better Related Posts Plugin

Tagged as: , , , , , , , ,

Comments

There is one comment for this post.

  1. Merchant Link SecurityCents :: Encryption Tokenization :: What have we learned in 2010? A look back at data security issues in the hotel and lodging sector on December 30, 2010 11:35 am

    [...] Council (PCI SSC) revised merchant requirements when accepting or transferring credit card data. Version 2.0 of the standards was mainly revisions and clarification of existing guidance. But for the first [...]

Write a Comment