GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The Green Sheet turns 25


Industry Update

Payment ship navigates economic storm

A new PCI day

Moneris to acquire Humboldt

Revolution heats up

WSAA wows in paradise

When the pen is mightier than e-mail

Biff Matthews
CardWare International

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.


When the pen is mightier than e-mail

Biff Matthews
CardWare International

No denial, no surrender

Scott Henry


Street SmartsSM:
A day in the life of a successful MLS

Jason Felts
Advanced Merchant Services

Who moved my merchants?

Jeff Fortney
Clearent LLC

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.

The how, when, why of recruitment outsourcing

Curt Hensley
CSH Consulting

Escaping the PCI maze

Tim Cranny
Panoptic Security Inc.

Company Profile

International Merchant Solutions LLC

New Products

Out of the shoebox, into the server

Charge Anywhere Electronic
Wireless Signature Capture

Shield terminals in sticky situations

ExoShield Terminal Cover
Inventor: Michael Katsanevas


Shaping the story


Payments in brief: 1983 to 2008





Higher risks mean higher rewards

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 13, 2008  •  Issue 08:10:01

previous next

A new PCI day

The Payment Card Industry (PCI) Security Standards Council (SSC), managing body for the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application (PA) DSS, just released version 1.2 of the PCI DSS. Version 1.1 of the standard will sunset on Dec. 31, 2008.

"The PCI Data Security Standard version 1.2 is effective immediately," said Bob Russo, PCI SSC General Manager. "As of Oct. 1, 2008, the guidelines laid out in this new document accessible on the council's Web site apply to all merchants accepting payment cards, from the larger level 1 merchants, down to level 4 merchants.

"We encourage merchants who have not yet done so to familiarize themselves with the PCI Data Security Standard, as it is their best line of defense against a data breach."

Version 1.2 is designed to eliminate redundancies in the requirements, consolidate the rules for protecting cardholder data and improve reporting requirements. The PCI SSC said version 1.2 will not introduce any new requirements.

In the spotlight

Until recently, PCI compliance efforts were focused mainly on larger merchants classified under the standard as level 1 and level 2. But as those larger organizations have increasingly come into compliance, attention has turned to ensuring compliance among smaller organizations. Level 3 and level 4 merchants have moved into the spotlight.

Visa reported that level 4 merchants account for more than 99 percent of the merchants who accept Visa, indicating just how deep the potential market is.

"Cardholder data compromises affect level 4 merchants with greater frequency than level 1, 2 and 3 merchants combined," a Visa spokesman said.

In fact, 80 percent of identified compromises since Jan. 1, 2005, have occurred at level 4 merchant locations.

Acquirers must now develop risk assessment programs to identify and manage risk among their merchant populations; they may insist that even the smallest merchants undergo a quarterly network scan to identify security problems.

WEP no more

Two significant changes in version 1.2 involve requirement 9. The first change specifies that off-site cardholder data storage location operations must be visited and validated once a year. The second imposes a sunset date for Wired Equivalency Privacy (WEP) protocol.

WEP implementations - designed to protect data over wireless networks - will not be allowed after March 31, 2009. Current WEP users have until June 30, 2010, to switch to another wireless security platform.

"Really, the bottom line is that this is just an opportunity to clarify 1.2," said Troy Leach, PCI SSC Technical Director. "When the next standard is released in 2010, the payment landscape and security issues will evolve significantly, so I think there will probably be more changes in that release of the standard."

Welcome news

According to Diana Kelley, Partner and Analyst with SecurityCurve, a data security consultancy, version 1.2 is welcome news for merchants and service providers grappling with the latest security threats to their payment transactions systems. "The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs," Kelley said.

The updated standard and supporting documentation is available at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios