by Bob | Apr 28, 2016 | Views
The Payment Card Industry Data Security Standard – PCI DSS – is fundamental to much of the work we undertake with clients. First published in December 2004 in the wake of the Enron scandal, PCI DSS consolidated the security standards being enforced by Visa, MasterCard, American Express, JCB and Discover. It is applicable to all businesses that Store, Process or Transmit payment card data, and compliance is enforced by the card schemes, through Payment Service Providers. Failure to comply can result in the card schemes levying unfavourable or punitive transaction rates on non-compliant merchants, or ultimately the card schemes could withdraw payment capabilities. Version 3.2, published today, places increased emphasis on rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocols. The old standard – Version 3.1 – will be retired in December 2016 and after that date all PCI DSS assessments will be made against the new standard. The major changes that the new standard bring in are: Data Access The new data access rules will mean that enhanced, multi-factor, authentication will be required for all employees who can amend systems that contain card data – User ID and Password will no longer cut it. There’s a direction here, how long before all access to the Cardholder Data Environment will require such credentials? Ongoing Compliance Programmes The new standard incorporates “Designated Entities Supplemental Validation” (DESV) – which Troy Leach of the PCI Security Standards Council describes DESV as “a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments....