VPN Haus: Do the new standards leave too much open to merchant’s interpretation?
Anton Chuvakin: This is really a $1 million-question and only practice will tell. I think the 2.0 version leave less than before to interpretation. For example, virtualization was a big question mark in many merchants’ mind and now it is resolved. Many other questionable and debatable points are clarified but I am sure merchants would come with more excuses as PCI DSS 2.0 is implemented in practice.
VPN Haus: Do you think pushing the DSS lifecycle from 24 months to 3 years will stagnate the rate of change? Or will it allow more time to investigate and build support around necessary changes?
Chuvakin: Well, I will side with [PCI General Manager Bob Russo] on this one: PCI DSS is getting mature enough to not need change that frequently. While some assault the standard as “not being dynamic,” in reality doing what PCI DSS prescibes and doing it well, by following the spirit and not only the letter, will equip organizations for dealing with today’s and – in my opinion – tomorrow’s threats. For example, recent Verizon PCI report showed that compliant non-organizations seem to fare worse, which indirectly confirms that PCI DSS in its current form helps reduce risk of data theft.