The Green Sheet Online Edition
October 13, 2008 • Issue 08:10:01
A new PCI day
The Payment Card Industry (PCI) Security Standards Council (SSC), managing body for the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application (PA) DSS, just released version 1.2 of the PCI DSS. Version 1.1 of the standard will sunset on Dec. 31, 2008.
"The PCI Data Security Standard version 1.2 is effective immediately," said Bob Russo, PCI SSC General Manager. "As of Oct. 1, 2008, the guidelines laid out in this new document accessible on the council's Web site apply to all merchants accepting payment cards, from the larger level 1 merchants, down to level 4 merchants.
"We encourage merchants who have not yet done so to familiarize themselves with the PCI Data Security Standard, as it is their best line of defense against a data breach."
Version 1.2 is designed to eliminate redundancies in the requirements, consolidate the rules for protecting cardholder data and improve reporting requirements. The PCI SSC said version 1.2 will not introduce any new requirements.
In the spotlight
Until recently, PCI compliance efforts were focused mainly on larger merchants classified under the standard as level 1 and level 2. But as those larger organizations have increasingly come into compliance, attention has turned to ensuring compliance among smaller organizations. Level 3 and level 4 merchants have moved into the spotlight.
Visa reported that level 4 merchants account for more than 99 percent of the merchants who accept Visa, indicating just how deep the potential market is.
"Cardholder data compromises affect level 4 merchants with greater frequency than level 1, 2 and 3 merchants combined," a Visa spokesman said.
In fact, 80 percent of identified compromises since Jan. 1, 2005, have occurred at level 4 merchant locations.
Acquirers must now develop risk assessment programs to identify and manage risk among their merchant populations; they may insist that even the smallest merchants undergo a quarterly network scan to identify security problems.
WEP no more
Two significant changes in version 1.2 involve requirement 9. The first change specifies that off-site cardholder data storage location operations must be visited and validated once a year. The second imposes a sunset date for Wired Equivalency Privacy (WEP) protocol.
WEP implementations - designed to protect data over wireless networks - will not be allowed after March 31, 2009. Current WEP users have until June 30, 2010, to switch to another wireless security platform.
"Really, the bottom line is that this is just an opportunity to clarify 1.2," said Troy Leach, PCI SSC Technical Director. "When the next standard is released in 2010, the payment landscape and security issues will evolve significantly, so I think there will probably be more changes in that release of the standard."
According to Diana Kelley, Partner and Analyst with SecurityCurve, a data security consultancy, version 1.2 is welcome news for merchants and service providers grappling with the latest security threats to their payment transactions systems. "The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs," Kelley said.
The updated standard and supporting documentation is available at www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.