PCI DSS 2.0 Makes for Smarter Data Transfer Security

Tuesday, October 19, 2010 – Ipswitch File Transfer, Inc., an innovator of secure, managed file transfer solutions, today identified five key changes to the Payment Card Industry Data Security Standard (PCI DSS 2.0) standard that will substantially affect businesses transferring sensitive credit card data.  The final draft of the standard will be released on October 28. However, the substance of many changes is now clear, whilst working groups on emerging technologies continue to report on forthcoming inclusions in the standard.

“The impending changes reflect developments in technology, the cost pressures on businesses and the development of smart, accepted practices,” explained Jonathan Lampe, VP of Product Management at Ipswitch and representative on the PCI Community Council. “Around fifty of our customers, from all over the world, are represented on the council.  The emphasis has been on identifying what’s secure and what works best.”

Key changes forthcoming in PCI DSS 2.0, that will impact on the transfer of sensitive data include:

  • Explicit recognition of SFTP  as a secure protocol
  • Audit of virtual machine infrastructure and virtualisation hypervisors will be brought within the scope of PCI DSS.
  • Rotation requirements for the purposes of key management will be “based on industry best practices and guidelines” rather than an annual stipulation.
  • Identity and authentication requirements for users, “non-consumers” and administrators will be split further.
  • More specific requirements will be implemented around the auditability and security of timekeeping, especially as recorded in audit logs.  (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)

In addition, Lampe identifies the expected incorporation of tokenization technologies, into official PCI s guidance as a key security and cost saving development.

“Tokenization – the use of data tokens in place of sensitive data such as PAN – is essentially a cost saving measure,” Lampe continued.  “Early adopters are shrinking the costs of PCI compliance by handing responsibility for their most sensitive information to a trusted custodian, saving them the expense of treating every interaction as top secret.   Tokenization is already accepted by Visa and is the focus of a current PCI Council committee; the next logical step is for it to be incorporated into official PCI guidance.”

To find out more about PCI DSS compliant managed file transfer solutions, please contact Pro2col on 0333 123 1240.