Thursday, December 12, 2013

PCI Security Revisited for 2014

While the new PCI 3.0 requirements take effect on January 1st, 2014 existing PCI 2.0 compliant locations will have until January 1, 2015 to make the necessary changes to meet the new requirements.  The new version of PCI has three types of modifications.  They are clarification, additional guidance and evolving requirements.  As part of the new document there are several places where clarifications are included to assist with compliance. 

One of the points outlined in the new version of the PCI requirements is meant to clarify the common misconception that using a PA-DSS POS application guarantees that you are PCI compliant.  This is mentioned in the PCI V3.0 document where it says: “Use of a Payment Application Data Security Standard (PA-DSS) compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor.”  The POS application is part of 1 of the 12 areas of PCI compliance.

These are the 12 major areas of requirements for PCI compliance

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel


For further information and documents please visit the www.pcisecuritystandards.org website.