While
the new PCI 3.0 requirements take effect on January 1st, 2014 existing PCI 2.0
compliant locations will have until January 1, 2015 to make the necessary
changes to meet the new requirements. The
new version of PCI has three types of modifications. They are clarification, additional guidance
and evolving requirements. As part of
the new document there are several places where clarifications are included to assist
with compliance.
One
of the points outlined in the new version of the PCI requirements is meant to
clarify the common misconception that using a PA-DSS POS application guarantees
that you are PCI compliant. This is
mentioned in the PCI V3.0 document where it says: “Use of a Payment Application
Data Security Standard (PA-DSS) compliant application by itself does not make
an entity PCI DSS compliant, since that application must be implemented into a
PCI DSS compliant environment and according to the PA-DSS Implementation Guide
provided by the payment application vendor.”
The POS application is part of 1 of the 12 areas of PCI compliance.
These
are the 12 major areas of requirements for PCI compliance
1. Install
and maintain a firewall configuration to protect cardholder data
2. Do
not use vendor-supplied defaults for system passwords and other security
parameters
3. Protect
stored cardholder data
4. Encrypt
transmission of cardholder data across open, public networks
5. Protect
all systems against malware and regularly update anti-virus software or
programs
6. Develop
and maintain secure systems and applications
7. Restrict
access to cardholder data by business need to know
8. Identify
and authenticate access to system components
9. Restrict
physical access to cardholder data
10. Track
and monitor all access to network resources and cardholder data
11. Regularly
test security systems and processes
12. Maintain
a policy that addresses information security for all personnel
For further
information and documents please visit the www.pcisecuritystandards.org
website.