The Logic Group Blog

In the fast changing technology landscape a week does not pass by without a new game-changing social media app, a new service in the cloud or some other provocative evolution. What chance does a regulator, such as PCI SSC have in setting a standard that applies to all the technologies employed in payments? Two years since PCIDSS 1.2, PCI DSS 2.0 is now upon us and this was one of topics discussed at a recent QSA roundtable.

Changing Standards

Any standards that follow technology trends will be in a constant cycle of revisions for standard-followers to take on and plan for. Regularly moving the goal posts will create apathy and resentment amongst the parties trying to comply. So is PCIDSS a dead-in-the-water standard behind the times or an impossible, but living, set of rules? Luckily, the answer is neither and this is even truer of version 2.0 than the outgoing 1.2.

The PCI Security Standards Council (SSC) and the card schemes, fortunately, are not trying to ply rules and limits to every cumulus congestus that emerges into the world of payments. Instead, they are trying to lay a security foundation, and as such the foundation should not change every time a new technology comes along. The key discipline for the council is to avoid being prescriptive about the ‘right’ security methods, and instead focus on defining the intent of each guideline and risk in each area. For an example of the less-prescriptive direction of 2.0 here’s an example of the evolution of wireless local area network (WLAN) rules:

• In 1.2 the requirement was to along the lines of ‘Test for the presence of wireless access points by either doing WLAN Access Point scanning or using a Wireless Intrusion Detection System (IDS)’. WLAN Access Point scanning works great for some; but those that have many stores with a WLAN in each one find it tiresome to have a staff member waving a scanner around in each store every few months. IDS too suffers from being seen as prohibitively costly by many.
• In 2.0 the flexibility to choose other methods to achieve the same goal has been introduced: ‘Test for the presence of wireless access points’, and this is followed by a crucial note ‘methods include but are not limited to: WLAN Scanning; using a Wireless Intrusion Detection System; Physical Inspection or Network Access control.’

By PCI SSC becoming less prescriptive the industry is free to innovate to solve security problems and card acceptors are free to choose the most effective / future-proof / suitable solutions to meet their needs.