Trick Or Treat? New PCI Version To Be Here By Halloween

By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering "Trick or Treat?"

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn't like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as "minor changes."

The new guidelines will be PCI DSS version 1.2, a mild bump from version 1.1 that was published in September 2006. The council had been considering a rhetorical jump all the way to 2.0 but, Russo said, they concluded that not that much needed to be changed.

"We happen to think that the standard is pretty damn good the way it is right now," Russo said. "It goes to the feedback that we've been getting. It's as good as it is without needing to make a major overhaul."

That said, Russo stressed that the new tweaks they are making will be mostly in three key areas: wireless; application security; and penetration testing.

One of the reasons for the vagueness is that the council is still deciding on particulars. Also, Russo said an advantage of participating in the process is to get early looks at the proposals.

Some of the changes will involve clarifications on requirements and "there will be some things about the reports and what we are looking for in the reports." In wireless, for example, Russo said current wording about WPA and WPA2 and WEP—which suggests that networks need to use both—will be changed, but he couldn't say what it will be changed to.

"The ambiguity is going to be much, much less," he said. "Today, lots of things are open to interpretation."

Russo also addressed a common retail concern when a new version of PCI is discussed; namely, that it will suddenly cause compliant merchants to become non-compliant. "We are not trying to get merchants to be out of compliance," Russo said.

Truth be told, the council does seem to have a plan for implementing anything new gradually. Changes are optional for several months, to give merchants time to adjust without risking a loss of compliance.

That's a fair approach. As he discussed it, however, I couldn't help but envision a paraphrase of a favorite Aaron Sorkin line. Retail CIO: "Why do you think it's your job to try and get merchants out of PCI compliance?" PCI Council GM: "I honestly don't think it's part of my job. It's more of a fringe benefit."