PCI Security Standards Council updates data security document

National Report -- In attempts to strengthen protection of a customer’s personal credit card data after it has been accepted by a merchant, the Payment Card Industry Security Standards Council has revised its requirements merchants must follow when accepting or transferring credit card data.

The council will issue version 2.0 of its PCI Data Security Standard in October, and hoteliers and hotel technology vendors are advised to pay close attention to the revisions.

Hotel & Motel Management magazine spoke with Bob Russo, GM of the PCI Security Standards Council, to get a summary on some of the changes that will appear in the second version of the document. The council is releasing a summary of changes today so the public can educate themselves and be ready to attend feedback meetings when the document is officially enacted.

“By in large, the majority of revisions are clarifications and additional guidance,” Russo said. “This is all part of transparency – making sure everyone is aware of what’s coming in the new standard prior to releasing it.”

One major change in the document will address “scoping,” or how a merchant prepares for an assessment to make sure they are compliant. Russo said version 2.0 of the PCI DSS will require merchants to use discovery tools to determine where credit-card data is being stored within the network prior to a on-site visit from a qualified security assessor.

“There are a lot of discovery tools out there,” Russo said. “We are endorsing the use of some sort of methodology; we are not endorsing the use of a specific product.”

Additional changes to version 2.0 of PCI DSS and version 2.0 include:

• Support for centralized logging included in PA-DSS to promote more effective log management
• Validation, within certain requirements, of risk-based approach for addressing vulnerabilities, allowing organizations to consider their specific business circumstances and tolerance to risk when assessing and prioritizing vulnerabilities

The PCI SSC will hold annual committee meetings in Orlando and Barcelona to discuss the revisions prior to officially releasing them, Russo said.

“The revisions are totally based on feedback we’ve received over the past year,” he said. “More than 50 percent of that feedback has come from outside the U.S., reinforcing the fact that this is a global standard.

“We want participating organizations to have a copy of this before we get to the community meetings so they can look at it and see how it affects them.”

Russo suggested hoteliers take as much responsibility in protecting guest data as the technology vendors they partner with. Securing data is a shared responsibility, he said.

“Not only do they have to be aware of their responsibility, they need to make sure their vendors are also adhering to PCI standards and that their hardware and software is PCI compliant,” Russo said. “They need to make sure they are asking the question and then they can go to our website and look these things up.”

For more information on how PCI compliance affects hoteliers, visit Hotel & Motel Management’s special report on data security at: www.hotelworldnetwork.com/security0510

To view a more detailed summary of changes to the PCI DSS, see: https://www.pcisecuritystandards.org/index.shtml

The PCI SSC also invites the public to a webinar that covers the summary of changes in greater depth, to be held at 3 p.m. August 24. Registration details can be found here: http://register.webcastgroup.com/l3/?wid=0830824105314