New PCI Standard: MSPs Deal With Semantics
Sometimes an MSP’s job is semantical as well as technical. Take the latest version of the Payment Card Industry Data Security Standard (PCI DSS 2.0), which has been out for a few weeks now. MSPs say the standard clarifies the language of the previous iteration, which had some enterprises confused. The PCI standard prescribes security measures for businesses that handle customers’ credit card data. The PCI Security Standards Council, which manages the PCI DSS 2.0 standard, said most of the changes in the new version “are modifications to the language, which clarify the meaning of the requirements and make adoption easier for merchants.” Here’s the update.
Not a bad idea, considering that one company that took too literally a directive to classify media so it could be identified as confidential. The company affixed “confidential” stickers on its backup tapes — a move that rather subverted the intent of the standard by inadvertently creating a temping target.
Eric Browning, security engineer at SecureWorks Inc., a managed security services provider, related that story, noting that the MSSP quickly put the customer on a surer security footing.
But it’s not just end customers that have experienced language issues. Browning said some Qualified Security Assessors, companies that check for PCI DSS compliance, interpreted the previous standard as prohibiting virtualization. He said that was not the case, adding that SecureWorks, a QSA itself, has been advising customers accordingly. The latest standard takes up the issue, including wordage that “explicitly allows virtualization to take place in a PCI environment,” Browning explained.
Still to Come
More advice on PCI and virtualization is forthcoming. One lingering question centers on whether every virtual machine on a server falls within the scope of PCI DSS or whether one virtual machine may deemed in scope and another not. Browning said a PCI council special interest group will provide guidance on scoping earlier next year.
Rahul Bakshi, vice president of managed services strategy and solutions design at SunGard Availability Services, said the new standard also impacts monitoring and reporting.
In that area, the standard provides additional clarify around “not just being able to monitor things, but also making sure you are actually capturing the data you are monitoring,” Bakshi said.
In the case automated monitoring, organizations need to make sure they have established the appropriate controls and alerting process.
Overall, Bakshi said PCI DSS 2.0 marks the continued maturation of the standard. It also ushers in a three-year lifecycle for standards development as opposed to the previous two-year cycle.
That’s all the more time for MSPs and their customers to learn the language.
Sign up for MSPmentor’s Weekly Enewsletter, Webcasts and Resource Center. Follow us via RSS, Facebook, Identi.ca and Twitter. Check out more MSP voices at www.MSPtweet.com. Read our editorial disclosure here.