Version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) are already in effect, basically giving companies a year to implement and validate changes. This is not earth-shattering news to most companies, but it represents some technical challenges.

The last thing you want is to assume that compliance will somehow take care of itself over the next 12 months. This was underscored by a recent attack on a New York travel firm, CitySights. Hackers were able to access 110,000 customers' banking details reportedly over three weeks, garnering account numbers, expiration dates, CVV2, and other personal identifying information such as home and email addresses. One investigator suggested the CitySights website was not in compliance with PCI DSS.

It wouldn't be a surprise at all if it turned out that a lot of merchants and their IT vendors are still not up to date on the security burdens imposed by version 2.0.

Virtualization and the new requirements in that area have garnered the most attention. But there are a lot of other new rules as well, like "logging, risk-based assessments of security vulnerabilities and project scoping, to determine all the places where cardholders' data resides," according to eWeek.

You would be wise to jump on this early, following the lead of Amazon.com, which has announced it is already compliant with version 2.0.

For more:
- here's the article

Related Articles:
PCI DSS in the cloud, coming soon?
Growing pains for the PCI-DSS
The PCI-DSS 2010 roadmap
Fresh PCI-DSS guidance coming soon