PCI 1.2: Waives QSA Requirement, Specifies Shred Details

When the PCI Council officially unveiled PCI 2.1 on Wednesday (Oct. 1), it included virtually no meaningful changes from what PCI had announced the key changes would be back in mid-August. But far from the mild tweak officials had described, the final PCI 1.2 version actually includes dozens of wording changes, most of which reflect technology changes since 1.1 was released two years ago.

The PCI Council issued its own quite comprehensive list of the changes, but for those who want to directly compare the official 1.1 version with the official 1.2 version, these links should do the trick.

The official version also didn't address any of the missing elements that some have questioned PCI about. But 1.2 did make quite a few modernization changes, especially with language.

There were a handful of small procedural changes. PCI clarified that the destruction of printed material with card data had to not merely be destroyed; retailers now must "shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed." A good move to spell out.

Although saying that qualified professionals must do evaluations, it now specifically says that the tester is "not required to be a QSA or ASV."

Language changes, though, accounted for the overwhelming majority of the new changes. For example, "hackers" is gone, replaced with "malicious individuals."

That particular change I partially applaud. For far too long, the once prestigious term "hacker" has been muddied. The original term refers to an especially skillful, resourceful and creative programmer who can come up with a way to get a system to do virtually anything the company needs. As in "This is a tough one. Let's get Joan to do it. She's the best hacker we've got."

The consumer media quickly turned the term into one referencing a cyberthief. For abandoning the negative use of the word "hacker," PCI should be applauded. But the phrase "malicious individuals," although certainly an improvement, is not necessarily accurate. Professional cyberthieves may not be malicious at all, in that they have no intention of deliberately harmful or spiteful actions. Many are professionals just trying to make money, albeit illegally. (Think Fagin.) They're crooks all right, but, as a writer, I'm not sure malicious is necessarily correct.

Another favorite language change was the PCI Council's decision to weigh into that fun-filled PCI debate about whether the security evaluations done are "audits" or "assessments." Some have argued for assessments, suggesting that an audit is more intrusive and focused more on what is touched and opened and probed rather than what is asked. The council has changed all references to audits to assessments.

Here's one that only writers will cheer for: The document changed references to "subsequent to authorization" to "after authorization." Or maybe this one: PCI changed "potential employees" to "potential employees prior to hire." (I guess all humans on the planet could be considered potential employees. With Microsoft, they don't even have to limit themselves to humans.)

Wording changes reflecting modernization includes:
  • "Full magnetic stripe" became "Full track data from the magnetic stripe, magnetic stripe image on the chip or elsewhere."
  • "E-mail" became "end-user messaging technologies" (E-mail, instant messaging, chat)."
  • "Password" became "password or passphrase."