PCI Security Standards Council Unveils New Data Security Standards

Posted on November 6, 2010 by Kevin Khurana

On Thursday, October 28, 2010, the Payment Card Industry Security Standards Council (the “Council”) promulgated version 2.0 of its Data Security Standard (“PCI DSS”) which sets forth data security standards for payment card processers. The Council also updated its Payment Application Data Security Standard (“PA DSS”) which sets forth data security standards for software vendors that develop payment applications. Each new Data Security Standard will take effect on January 1, 2011.

In its summaries of the changes to each Data Security Standard, the Council makes clear that the majority of the changes arose from the need to clarify the intent of certain requirements, provide additional explanations or definitions, and ensure that the standards were up to date with emerging threats and changing markets.  

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

  • Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
  • Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
  • Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
  • Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.
Tags: , , , , , ,

Governor Schwarzenegger Says No to California A.B. 779

Posted on October 14, 2007 by Proskauer Rose LLP

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, discussed here, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

As discussed in our previous posts here and here, AB 779 was proposed in the wake of the massive security breach at the TJX Companies and would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards, debit cards, or other payment devices from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. The bill also incorporated certain liability-shifting provisions that would have made such businesses liable to the owner or licensee of the information for the reimbursement of reasonable and actual costs of providing notice to consumers as required by existing law and for the reasonable and actual cost of card replacement as a result of the breach of the security of the system. It also would have mandated the inclusion of specific kinds of information about a breach in notices provided to individuals affected by the breach.

The Governor’s veto was based on concerns that AB 779 would potentially conflict with private sector data security standards such as the Payment Card Industry Data Security Standard and would increase the costs of compliance.

In his veto message, available here, the Governor stated that, while he is "committed to strong laws that safeguard every individual’s privacy and prevent identity theft, . . . this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information. This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards." The Governor also noted that the bill "fails to provide clear definition of which business or agency ‘owns’ or ‘licenses’ data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses." The Governor encouraged "the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above."

It remains to be seen whether Governor Schwarzenegger's veto effectively puts to an end efforts in other states to pass such legislation.
Tags: , , , , , , , , , , , , ,