On Thursday, October 28, 2010, the Payment Card Industry Security Standards Council (the “Council”) promulgated version 2.0 of its Data Security Standard (“PCI DSS”) which sets forth data security standards for payment card processers. The Council also updated its Payment Application Data Security Standard (“PA DSS”) which sets forth data security standards for software vendors that develop payment applications. Each new Data Security Standard will take effect on January 1, 2011.

In its summaries of the changes to each Data Security Standard, the Council makes clear that the majority of the changes arose from the need to clarify the intent of certain requirements, provide additional explanations or definitions, and ensure that the standards were up to date with emerging threats and changing markets.  

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

  • Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
  • Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
  • Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
  • Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.