Bambanek, by contrast, calls the requirement, "a great leap forward. Static vulnerability scanners can miss a great deal, and the move to penetration tests shifts the focus from retrospective testing to what an attacker can actually do."
Other requirements that call for more frequent compliance audits for service providers and maintaining security throughout the year rather than making it an annual exercise also remain contentious.
Nobody argues that constant compliance would be a bad thing, but merchants have complained for years that it is simply unrealistic. And a number of security experts agree that it is possible to be compliant with the standard one day and out of compliance the next.
Mogull, in an October 2013 interview, rejected the PCI SSC's assertion that no company that was in compliance had ever been successfully breached.
If a company with PCI certification is breached, he said, "the PCI SSC then retroactively revokes its compliance certification, often due to the victim not checking log files on a daily basis or something similar ... you can always find something someone missed."
Morrato agrees that more frequent audits and maintaining compliance will be a "pain point," but he said, "once organizations get into a rhythm of doing this and adapt their practices to the new standard, it should become much smoother and treated like any other routine process regarding security evaluation and auditing."
Overdue as the new requirements may be, they will only be considered "best practices" immediately. They will not be mandatory for another 19 months - Feb. 1, 2018 - "to allow organizations an opportunity to prepare to implement these changes," according to Troy Leach, CTO of the PCI SSC.
That, according to Conroy, is not a major problem. "PCI is a set of minimum data security guidelines," she said. "The merchants that I speak with that are keeping tabs on the threat landscape and responding to the evolving threats generally don't find PCI too onerous, because they're already meeting most of the requirements."
Source: CSO Online
Sign up for CIO Asia eNewsletters.