The New PCI DSS Version Is Discussed

If you want to know about what’s coming in the next version of the PCI DSS, see this article.

The bottom line is that the new standard will be out in October 2010 and nothing much is changing, just clarifications.  However, this interview with Bob Russo does point out a few interesting tidbits.

The first is that end-to-end encryption sounds great, but needs to be further studied, defined and refined.  In addition, at the end points, the cardholder data must be decrypted, which means your key management procedures need to be bulletproof.  I had put up a series of posts last year right after Heartland discussed using end-to-end encryption.

The second thing I found interesting is his discussion of Chip and PIN.  Yes, Congress found this technology to their liking, but it has its own issues, some of which I discussed in a post a while back.  It’s not a be all to end all, but it does offer some additional features.  However, Mr. Russo neglected the fact that Chip and PIN cards do have magnetic stripes on them to be compatible with the rest of the world.

Finally, there will be more white papers, FAQs and the like written.

In general, not a lot to talk about.  However that can all change between now and then if we see some changes in tactics by the attackers.


0 Responses to “The New PCI DSS Version Is Discussed”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


January 2010
« Dec   Feb »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: