What are the key changes that have been made in the updated PCIDSS and PA-DSS standards?

On October 28, the PCI Security Standards Council released the newest version of these standards following requests from stakeholders for more clarity and flexibility.

PCI Security Standards Council general manager Bob Russo says: “They asked and we listened, making it easier for merchants to align their security efforts.”

Russo highlights three key changes. The first is the reinforcement of a thorough scoping exercise before a PCI DSS assessment in order to understand where cardholder data resides. “Essentially it means that you need to have some sort of methodology or process in place for finding your data,” says Russo.

The second is changes to promote more effective log management in securing cardholder data. Russo explains: “This requirement helps organisations better identify suspicious activity, and perhaps prevent a small hole from becoming a large breach.” The third major change has been made with small merchants in mind. Russo explains: “We’ve heard a lot of feedback from small merchants and made several changes to the standards, the self-assessment questionnaire process you use and available resources to assist small businesses in addressing the important issue of card data security.”

A new website has also been launched: www.pcisecuritystandards.org/smb. The new standard is effective from January 1, 2011, and the current one isn’t redundant until December 2011.