The Payment Card Industry Security Standard Dozen

The Payment Card Industry Security Standards Council is always creating new and effective versions of PCI DSS. The most recent of such compliance standards is version 1.2 which has 12 requirements for enhancing payment account security. These requirements are designed to address a broad range of data security, from software design to policies and procedures. Version 1.2 is not intended to change the existing DSS, but only to provide added security in a time when many feel it is most needed.

There are two notable changes, one requires that off-site data storage locations be visited and validated as compliant with PCI DSS. The other imposes a sunset date on wired equivalency privacy (WEP) use. For those of us who don’t speak techie, WEP is a software application intended to protect data as it travels across wireless networks. In previous posts, I have talked about WEP having to be upgraded by June 30th, 2010 to Wi-Fi protected access (WPA).

Here are the 12 core requirements as outlined by the card associations:

  1. Install and maintain a firewall configuration to protect card holder data
  2. Change all default passwords on all systems
  3. Protect stored card holder data
  4. Encrypt transmission of cardholder data across open public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on a need to know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to card holder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses security information

Many acquirers and large ISO’s have begun charging PCI compliance fees to their merchants to offset the costs they have had to incur in becoming compliant. As a merchant, I would want to know why they were not compliant to begin with and why I am being charged an additional amount for something they should already be doing. Online merchants can take matters into their own hands and ensure that their networks are following current PCI DSS guidelines and dispute compliance fees that are charged to them directly by their processor.

Questions about PCI ComplianceContact us or Call us at 855-402-8383!