GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

The Green Sheet turns 25

News

Industry Update

Payment ship navigates economic storm

A new PCI day

Moneris to acquire Humboldt

Revolution heats up

WSAA wows in paradise

When the pen is mightier than e-mail

Biff Matthews
CardWare International

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.

Views

When the pen is mightier than e-mail

Biff Matthews
CardWare International

No denial, no surrender

Scott Henry
VeriFone

Education

Street SmartsSM:
A day in the life of a successful MLS

Jason Felts
Advanced Merchant Services

Who moved my merchants?

Jeff Fortney
Clearent LLC

Gift and loyalty, the year-end accelerant

Christian Murray
Global eTelecom Inc.

The how, when, why of recruitment outsourcing

Curt Hensley
CSH Consulting

Escaping the PCI maze

Tim Cranny
Panoptic Security Inc.

Company Profile

International Merchant Solutions LLC

New Products

Out of the shoebox, into the server

Charge Anywhere Electronic
Wireless Signature Capture

Shield terminals in sticky situations

ExoShield Terminal Cover
Inventor: Michael Katsanevas

Inspiration

Shaping the story

Features

ISOMetrics:
Payments in brief: 1983 to 2008

Miscellaneous

POScprit

Departments

Forum

Higher risks mean higher rewards

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

October 13, 2008  •  Issue 08:10:01

previous next

A new PCI day

The Payment Card Industry (PCI) Security Standards Council (SSC), managing body for the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application (PA) DSS, just released version 1.2 of the PCI DSS. Version 1.1 of the standard will sunset on Dec. 31, 2008.

"The PCI Data Security Standard version 1.2 is effective immediately," said Bob Russo, PCI SSC General Manager. "As of Oct. 1, 2008, the guidelines laid out in this new document accessible on the council's Web site apply to all merchants accepting payment cards, from the larger level 1 merchants, down to level 4 merchants.

"We encourage merchants who have not yet done so to familiarize themselves with the PCI Data Security Standard, as it is their best line of defense against a data breach."

Version 1.2 is designed to eliminate redundancies in the requirements, consolidate the rules for protecting cardholder data and improve reporting requirements. The PCI SSC said version 1.2 will not introduce any new requirements.

In the spotlight

Until recently, PCI compliance efforts were focused mainly on larger merchants classified under the standard as level 1 and level 2. But as those larger organizations have increasingly come into compliance, attention has turned to ensuring compliance among smaller organizations. Level 3 and level 4 merchants have moved into the spotlight.

Visa reported that level 4 merchants account for more than 99 percent of the merchants who accept Visa, indicating just how deep the potential market is.

"Cardholder data compromises affect level 4 merchants with greater frequency than level 1, 2 and 3 merchants combined," a Visa spokesman said.

In fact, 80 percent of identified compromises since Jan. 1, 2005, have occurred at level 4 merchant locations.

Acquirers must now develop risk assessment programs to identify and manage risk among their merchant populations; they may insist that even the smallest merchants undergo a quarterly network scan to identify security problems.

WEP no more

Two significant changes in version 1.2 involve requirement 9. The first change specifies that off-site cardholder data storage location operations must be visited and validated once a year. The second imposes a sunset date for Wired Equivalency Privacy (WEP) protocol.

WEP implementations - designed to protect data over wireless networks - will not be allowed after March 31, 2009. Current WEP users have until June 30, 2010, to switch to another wireless security platform.

"Really, the bottom line is that this is just an opportunity to clarify 1.2," said Troy Leach, PCI SSC Technical Director. "When the next standard is released in 2010, the payment landscape and security issues will evolve significantly, so I think there will probably be more changes in that release of the standard."

Welcome news

According to Diana Kelley, Partner and Analyst with SecurityCurve, a data security consultancy, version 1.2 is welcome news for merchants and service providers grappling with the latest security threats to their payment transactions systems. "The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs," Kelley said.

The updated standard and supporting documentation is available at www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services