PCI DSS Expected to Evolve Based on Continued Data Breaches, Finds Thales
Thales, a communications security firm, has released results of a research study about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS). This new set of standards is expected to be released in October 2010 by the PCI Security Standards Council. Based on surveys with 155 qualified security assessors (QSAs), the following trends and key findings were identified:
The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations.
“Our research continues to validate that 60% of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41% of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity,” said Dr Larry Ponemon, chairman and founder of The Ponemon Institute.