By Sushila Nair, Product Manager, Managed Security Solutions Group, BT MSSG

The latest version of the PCI DSS has no new requirements, only clarifications and new guidance. The final version of the amended standard should be released in October 28, 2010, and go into effect in January 2011. The draft summary of changes is available here.

Absent from the list of requirements is any further information on the most contentious items: tokenization, point-to-point encryption and CHIP. It is tempting to hazard a guess that the lack of implementations has delayed the PCI council from issuing guidance around the area of protecting card data in this manner.

The question becomes then, is the PCI Data Security Standard about defining security and guiding the industry to good security practices, or is it about observing organizations and simply defining standards based on what appears to be working and from forensics of security breaches?

It would appear that the latter is true given that Chip and PIN was introduced in Europe as early as 2004 and most EU countries have already adopted this technology. Canada started conversion to chip and PIN in 2008 and full conversion is expected by 2015. The expense of changing the technology behind credit card payments in the United States is enormous, given that half the credit cards in the world are based here.  Because of this vast financial expense and the way that such a change would have to be funded, or mandated, has resulted in a lackluster reception to using chip and PIN in the U.S.

Even if the U.S. does not adopt chip and PIN, the card companies are constantly working to define new measures.  For instance Visa has just introduced the Emue card, which has an embedded keypad and display enabling authenticating transactions; however the same hurdles exist for the introduction of any technology that impacts the payment card system. The fact that the Payment Council has remained quiet on the subject of chip and PIN has caused European and Asian companies to level accusations of the standard being U.S.-centric and highlights the need to open up the discussion to include not only traditional infrastructures but organizations that are using newer technologies to secure card data.

The role of the council should not only be to have standard around what is being used but also to have an impact on up and coming systems so that new technology is open and there are clear cut standards across the boards.