PCI DSS: What to expect in October

by Steve Ragan - Aug 20 2008, 19:21

In October, the newest version of the PCI Data Security Standard, version 1.2, will become official. Yesterday, the summary of changes was released and, as expected, there is nothing dramatic about alterations in the newest version. The reason for the new version, sans changes, is the two-year life cycle that the PCI Security Standards Council has adopted for PCI DSS.

Version 1.2 of PCI DSS is an update to version 1.1 in the sense that it is aimed at clearing up the goals needed to ensure PCI DSS compliance. For example, the six principals are the same in version 1.2. Those principals are the main guides needed to lay the foundation for PCI compliance. Within these six guides are 12 requirements that must be met in order to earn PCI DSS compliance.

Briefly, the six principals are: building and maintaining a secure network; protection of cardholder data; maintaining a vulnerability program; implementation of strong access control measures; monitoring and testing of company networks, and the creation and maintaining of an Information Security Policy.

The first thing some companies might want to know is what happens in October? Will they instantly become non-compliant if they are not switched over to PCI DSS 1.2?

The answer is no. In fact, the PCI Security Standards Council said that if a company is in the middle of an assessment, using version 1.1 of PCI DSS – even if it is not completed until after October when version 1.2 goes into effect – then the company is allowed to use version 1.1.

This is because assessments on PCI DSS compliance under 1.1 are valid until the sunset date (when the older version is no longer valid). While there is no official sunset date for version 1.1, the PCI Security Standards Council says that it will be at least three months after the publication of version 1.2. In addition, if a company has had an assessment completed prior to version 1.2 being released, any changes will be addressed during the next annual assessment, meaning compliance with PCI DSS is still valid, even if it is under version 1.1.

The PCI Security Standards Council says the “...entire PCI DSS version 1.2 (or “Security Assessment Procedures” version 1.2 that comprise the standard) along with supporting documentation will be made available to Participating Organizations the first week of September 2008.” 

It also adds that the matter will be discussed in further detail at the Council’s Community Meeting in Orlando, on September 23-25. Version 1.2 will be made public on October 01 and follow-on discussions will take place at the Council’s second Community Meeting in Brussels, Belgium, on October 22-23.

Around the Web