If you want to know about what’s coming in the next version of the PCI DSS, see this article.
The bottom line is that the new standard will be out in October 2010 and nothing much is changing, just clarifications. However, this interview with Bob Russo does point out a few interesting tidbits.
The first is that end-to-end encryption sounds great, but needs to be further studied, defined and refined. In addition, at the end points, the cardholder data must be decrypted, which means your key management procedures need to be bulletproof. I had put up a series of posts last year right after Heartland discussed using end-to-end encryption.
The second thing I found interesting is his discussion of Chip and PIN. Yes, Congress found this technology to their liking, but it has its own issues, some of which I discussed in a post a while back. It’s not a be all to end all, but it does offer some additional features. However, Mr. Russo neglected the fact that Chip and PIN cards do have magnetic stripes on them to be compatible with the rest of the world.
Finally, there will be more white papers, FAQs and the like written.
In general, not a lot to talk about. However that can all change between now and then if we see some changes in tactics by the attackers.
PCI Guru 
0 Responses to “The New PCI DSS Version Is Discussed”