PCI DSS version 2.0 has finally been published (to take over from version 1.2.1 completely by January 2012).
Version 1.2.1 will not be fully retired until this point so there exists a suitably generous conversion period especially given the lack of significant change within the new version.
Changes in the most part are based on what has been learned in developing the standard; guidance and clarification have been the main themes this time of this version release with greater detail and guidance on virtualisation as well as how security should now be handled in virtual servers and in a cloud environment.
Perhaps the best part about the release of PCI DSS version 2.0 is the launch a new PCI DSS website aimed at small companies.
Recognising that these companies may lack technical expertise, the message is couched in simple terms and designed to be understood by the non-IT specialist.
There is now a dedicated PCI DSS for Small Merchants website:
In addition, the PCI SSC has produced a guide designed to explain the standard and requirements to non-technical people:
This is for version 1.2.1 at the moment but as this remains relevant until the end of next year and the principles have not changed it is an excellent tool to use in achieving PCI DSS compliance.
Despite clarifying many points, the standard still leaves two key areas in limbo, tokenisation and point-to- point encryption.
Both of these technologies are key elements in enabling merchants to take parts of their systems out of scope of the standard.
In other words, if merchants can prove card data has been encrypted or substituted by a token, then it is viewed as secure and out of scope of PCI compliance requirements.
UKFast are PCI DSS (Payment Card Industry Data Security Standard) compliant in our operational business processes relating to the payment card industry. When looking for a hosting partner, look out for PCI compliance requirements in order to guarantee the security of your payment card information and other critical financial details.
You could also have a look at our round table on PCI compliance where we were joined by Graham Boler, consultant at ECSC, Daniel Atherton, managing director of Athernet Solutions, Jason Zemmel, managing director of Half Price Perfumes, Richard Bromley of Ken Bromley Art Supplies, Reshad Hossenally, managing director of Ticket Arena and Neil Lathwood, IT director at UKFast.
Our panellists discussed the reasons behind needing to be PCI Compliant, trust in online security and the procedure of achieving the standard.
According to figures issued by Visa earlier this year just nine per cent of the UK’s Level 1 retailers (those that handle more than six million transactions a year) have actually managed to achieve PCI DSS compliance.