Credit card security to adapt to virtualization

The second edition of the Payment Card Industry Data Security Standard was released last Thursday and contains minor changes to take virtualization into account and increase security levels.

The standard mandates that organizations handling payment card data adopt a minimum security posture for the processing of credit card transactions. Annual compliance validation is handled either internally or by external independent Qualified Security Assessors, depending on the size of the organization.

Virtualized systems are now included within the scope of PCI DSS system components, specifically in requirement 2.2.1, which details how compliance functions relate to some virtual environments. The PCI Special Interest Group, composed of auditors, merchants and financial institutions, will flesh-out how other environments will affect the standard.

Security company Imperva chief technical officer, Amichai Shulman, said changes in the document are minor, and include the scoping of PCI assessments, the adoption of risk-based approaches to vulnerability mitigation and the provision of further detail on standards for secure application coding.

Ronin Security director Matt Hackling said the standard does not shake-up the industry.

"No new shocks from version 2.0 from our perspective," Hackling said. "Nonetheless, organizations should consider the impact of implementing the standard."

Merchants will rank vulnerabilities "based on industry best practice", according to section 6.2 of the document. Security publication Dark Reading reports that low-risk vulnerabilities will no longer need to be assessed, based on a measure of "actual risk of exploitation and potential damages".

"Nobody is in business to be compliant. But our experience highlights a simple lesson: if you invest in controls to address PCI there is an incredible opportunity to improve overall security," Shulman said in a statement. "Since its inception, PCI has expanded awareness to data security risks and has driven major investments in data security technology and processes."

The new PCI DSS release cycle has been drawn out from two years to three, but the extension does not mean the security standards risk becoming redundant before they are updated, according to regional sales director of security firm Imperva, Kane Lightower.

Lightower said the standard is designed to enforce a minimum security benchmark and suggestions that it would become a hacker's playbook are wrong.

"Organizations should not be basing their security infrastructure entirely on compliance," Lightower said.

He said compliance is becoming "more mature", but said the lack of data breach disclosure laws in Australia means there is more carrot than stick.

"The consequences of data breaches here aren't as high as the US so the driver for compliance is not as strong."

A recent report (PDF) from Verizon Business revealed that a mere 22 per cent of organizations surveyed were fully compliant with PCI DSS.

The council said the release cycle will allocate a year to deploy the standard, review feedback and formalise the next revision.

The new PCI compliance will become effective from January 1, 2011.

This article was first posted in ZDNet Australia.