Thales announced the results of a research study about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS). The new set of standards is expected to be released in October 2010 by the PCI Security Standards Council.
Based on surveys with 155 Qualified Security Assessors (QSAs), the following trends and key findings were identified:
1. Encryption is one of the most effective means for achieving compliance but questions arise on how to treat encrypted data in audits. It is believed that clarifications will be issued on the use of encryption and key management.
2. 41 percent of those surveyed believed tokenization will be included in the update as the technology to use to increase cardholder data security and reduce cost of compliance.
3. Tier 1 merchants are paying $122,000 more on average than Tier 2 merchants to do the same QSA assessments.
The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available at
“Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity,” says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.