The recently released Payment Card Industry data-security standard (PCI) Version 2.0 does not contain any major changes. But, there were some small revisions for payment processing security.
Clarifications and additional guidance included in the updates include:
- New language involving the scope of PCI compliance regarding to what degree a merchant or processor’s computing and data-transmission systems store or pass cardholder data. If they touch the data, it is considered “in scope.” Before annual PCI audits, companies should inform their Qualified Security Assessor (QSA) of every place card data could reside on their systems. This will help the QSA as well as making merchants more aware of where cardholder data could be stored.
- An “evolving requirement,” to rule 6.2 about risk ranking will become mandatory July 1, 2012. Companies subject to PCI will need to identify their security vulnerabilities and state how they plan to mitigate them.
- Small merchants may visually determine “rogue access points” in their computer systems that could allow hackers to invade systems, rather than using automated tools. Visual inspections won’t be enough for mid-sized and large merchants with more complex systems.
- Clarification that the primary account number (PAN) is the key piece of data that needs protection.
- Clarifications regarding centralized log management to track activity on computer systems.
- Acknowledgement of the practice of virtualization, which lets merchants to use multiple operating systems on a single server or host computer.
For information on secure payment processing visit paynetsecure.net