Recently, the Payment Card Industry (PCI) Data Security Standards (DSS) were updated by the PCI Security Standards Council to version 2.0. If you are not familiar with the standards, they are meant to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures on a global scale. If your organization stores, processes or submits cardholder data, you are subject to the guidelines of the PCI-DSS.
Some of the highlights of the update to version 2.0 include:
- Additional clarification stating that the primary account number (PAN) is the defining factor in the applicability of PCI-DSS requirements. PCI-DSS requirements are only applicable if the PAN is stored, processed or transmitted.
- Additional guidance explaining that the use of a Payment Application Data Security Standard (PA-DSS) compliant application alone does not make an entity PCI-DSS compliant.
- Additional clarification stating that network segmentation of the cardholder data environment may be achieved through physical or logical means. If virtualization technologies are used, only one primary function is allowed to be implemented per virtual system component or device. This is to prevent systems that require different security levels from coexisting on the same resources.
- Additional guidance stating that the use of Wired Equivalent Privacy (WEP) as a wireless security control is prohibited for the PCI-DSS requirement of ensuring that wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
- Additional clarification stating that the process of risk-ranking identified vulnerabilities on systems is considered a best practice until June 30, 2012, after which it will be a requirement. At a minimum, the highest-risk vulnerabilities should be ranked as “High”.
- Additional guidance that requires testing for the presence of wireless access points to detect unauthorized wireless access on a quarterly basis. Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless intrusions detection/intrusion prevention systems (IDS/IPS). Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
If you have questions about PCI compliance and your organization, please contact Eric Wright, Schneider Downs Technology Advisors Shareholder, at firstname.lastname@example.org or at (412) 697-5328.