New PCI Lifecycle Gives Retailers A Way To Game The System

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

As we reported back in mid-April, the PCI Council has, this week, officially announced that the new versions of both PCI DSS and PA-DSS will move to three-year lifecycles. Because the PCI assessment cycle is only 12 months, this timing raises an interesting possibility for a retailer to game the system.

The change represents an increase of one year over the current two-year lifecycle. It should be good news for retailers and application developers alike. Changes to the standards will come less often, and there will be more time for comment on proposed changes.

This week's release is the first in a series of announcements and research papers expected over the summer as the PCI Council rolls out its revised version of the PCI DSS in advance of the PCI Community Meeting in Orlando in September.

Looking at the new PCI DSS and PA-DSS lifecycles, there are no bombshells. Instead there are some interesting nuances for retail CIOs. For one thing, the sunset date for the old requirements is stretched out. Retailers also have more time to implement changes.

Under the current lifecycle, the revised standards would be published in October and became effective immediately. This timing is not very useful for retailers because it coincides with the fourth quarter freeze on system changes. It also means retailers have only six months (from January to June 2011) to implement the new standard. The new lifecycle, on the other hand, gives retailers a year.

The new three-year lifecycle means the present (version 1.2) DSS won't be retired until December 2011. This change gives retailers as many as 15 months to implement and validate under the revised DSS. Because the PCI assessment cycle is only 12 months, this timing raises an interesting possibility for a retailer to game the system. A retailer could, for example, validate compliance against the outgoing 1.2 version of the DSS in the fourth quarter of 2010 and use that same version again in the fourth quarter of 2011, just beating its retirement date. The implication is that such a retailer would not have to validate against the new version until the fourth quarter of 2012.

This quirk of timing is more of a curiosity than a flaw resulting from the extended lifecycle. I don't think anyone would recommend this strategy and, as a QSA, I would argue very strongly that retailers--for their own sake--comply with the latest version of PCI as soon as possible. Additionally, because no major changes are expected to the new version, I don't think a retailer would gain very much by waiting.A clear benefit of the three-year lifecycle is that it allows much more time for comments from retailers, their associations, processors and system developers, including two Community Meetings, between expected revisions to the standards. If you haven't attended one of these meetings (I've been to each of the past three), let me tell you they are reason enough to justify becoming a Participating Organization.

The Community Meetings offer unique opportunities for direct and often quite blunt feedback to the Council and the card brands. The communication isn't all one-way. I can't think of another standard that both announces sunset dates for current requirements and allows for active feedback from those impacted by the standard. The new lifecycle provides almost one year for draft revisions to the standards to be prepared and discussed. This change is a great improvement over today's three- to five-month review period.

This longer PCI lifecycle represents a maturing of the standard. It also refutes the arguments, which have always been unfair, that PCI is a moving target. The standard itself has barely changed in the past couple of years. For example, the one change taking effect now is banning WEP to protect your wireless networks. And that long overdue change has been two years in coming. What has evolved, though, is the threat landscape, which has led to clarification and maybe some different interpretation by QSAs of what does or does not meet the intent of a particular requirement.

Lest anyone--especially the bad guys--assume that this lifecycle change means PCI is cast in concrete for the entire three years, the Council has explicitly reserved the option to implement what it calls "mid-lifecycle changes" to address new threat vectors or gaps in the standards.

For now, this week's announcement is good news. But there is bigger news to come. We can expect more announcements concerning changes to both PCI DSS and PA-DSS over the next two months. We can also expect to see reports on emerging technologies (encryption, tokenization and virtualization), clarifying their roles in achieving and maintaining compliance. Bob Russo, general manager of the PCI Council, has promised to release details on changes as they are finalized. Although some of us expected to have seen more details on expected changes by now, the current announcement is a good start. I anticipate additional details in the coming weeks.

Two bits of PCI trivia are emerging. The first is that the Council will release information to Participating Organizations (and I hope QSAs, too) on the revised DSS over the summer and that they will present the changes at the Community Meeting. Nothing will be released publicly until October, when the revised DSS is published. This gives you another reason to join the Council and be in Orlando.

The other tidbit is that it looks like each three years the revised standard will be a ".0" version. That is, I expect October to see PCI DSS version 2.0 with updated version numbers reflecting errata and/or emerging threats to be tagged with a .1 or a .2.

What do you think about the new lifecycle? Will it help you plan and budget your implementation? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].