Credit Card Data Security Updates - Is Your Organization Aware?


By Dan Desko

Recently, the Payment Card Industry (PCI) Data Security Standards (DSS) were updated by the PCI Security Standards Council to version 2.0. If you are not familiar with the standards, they are meant to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures on a global scale. If your organization stores, processes or submits cardholder data, you are subject to the guidelines of the PCI-DSS.

Some of the highlights of the update to version 2.0 include: 


  • Additional clarification stating that the primary account number (PAN) is the defining factor in the applicability of PCI-DSS requirements. PCI-DSS requirements are only applicable if the PAN is stored, processed or transmitted. 
  • Additional guidance explaining that the use of a Payment Application Data Security Standard (PA-DSS) compliant application alone does not make an entity PCI-DSS compliant.
  • Additional clarification stating that network segmentation of the cardholder data environment may be achieved through physical or logical means. If virtualization technologies are used, only one primary function is allowed to be implemented per virtual system component or device. This is to prevent systems that require different security levels from coexisting on the same resources.
  • Additional guidance stating that the use of Wired Equivalent Privacy (WEP) as a wireless security control is prohibited for the PCI-DSS requirement of ensuring that wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
  • Additional clarification stating that the process of risk-ranking identified vulnerabilities on systems is considered a best practice until June 30, 2012, after which it will be a requirement. At a minimum, the highest-risk vulnerabilities should be ranked as “High”.
  • Additional guidance that requires testing for the presence of wireless access points to detect unauthorized wireless access on a quarterly basis. Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless intrusions detection/intrusion prevention systems (IDS/IPS). Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices. 

If you have questions about PCI compliance and your organization, please contact Eric Wright, Schneider Downs Technology Advisors Shareholder, at ewright@schneiderdowns.com or at (412) 697-5328.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.