1. There were no announcements regarding any major changes in either PCI DSS or PA-DSS, but there is a tendency of expanding these standards into the new areas such as Tokenization, Mobile Payments, and P2PE (see below).
2. Tokenization guidelines will become a standard in near future which means the rules around tokenization must be followed and any token implementation must be assessed by auditors. It is still unclear whether it is going to be separate standard or part of the existing one such as PCI DSS. The standard will cover all aspects of tokenization such as token generation, token storage (token vault), usage, etc. Final delivery of the standard: 2013-2014.
3. Mobile Payments
- The Mobile payments solutions are going to be divided into 3 major categories with several sub-categories – based on different technologies and hardware/software configurations. For example, smart phone based solutions fall under 3rd category. The idea is to gradually release guidelines for each and every category/sun-category, and eventually create a mobile payments standard, so most probably, the mobile payments guidelines eventually will become a standard - similar to Tokenization. There were no timelines provided for the future guidelines or standards.
- New PCI Mobile Payment Acceptance Security Guidelines for Developers were released during the meeting.
4. P2PE
- Next Steps:
The next step is releasing the Hybrid P2PE Requirements (there is an existing draft), and the next one is going to be software P2PE. No dates were provided.
- SAQ-P2PE-HW: I don’t know if you have noticed but there is new SAQ-P2PE-HW (Self-Assessment Questionnaire for Hardware/Hardware P2PE) available on PCI website since June. It still cannot be used because there are no listed PCI P2PE solutions yet. Once the P2PE solutions listing is published on the PCI website, merchants that implement PCI approved P2PE solution will be eligible to complete special SAQ which is supposed to be “easier” than regular one.
Note: this is still only applicable to merchants that are eligible for SAQ. Others will still go through the regular QSA assessment.
5. New PCIP (PCI Professional) certification program was just launched (in September). The idea is that each organization would have PCIP-certified employees who understand the PCI and help to maintain PCI compliance. The difference between PCI ISA and PCIP is that PCI ISA is linked to specific employer while PCIP is a personal certification.
Criteria:
All candidates - training course and exam;
CISSP holders - only exam;
PCI ISA holders - no training or exam, can be earned automatically (I signed in already).