Sister CISA CISSP

Dec 9 2008   9:27PM GMT

Check out the New PCI Standards



Posted by: Arian Eigen Heald
Tags:
PCI DSS
Security

The new PCI (Payment Card Industry) Data Security Standards, Release 1.2 came out in October, and are worth taking a look. They’ve added some updated recommendations (like getting rid of WEP entirely by 2010), and I especially liked some of the following features:

Compensating controls must be reviewed, documented and validated by an assessor annually. A compensating control worksheet must be completed for each compensating control. These changes emphasize the council’s intent to make it more difficult for merchants to use compensating controls rather than meeting the requirements of the DSS.

I like this; a control is a control – a compensating control is not meant to be a permanent solution.

Monitoring sensitive areas: Version 1.1 required the use of video cameras to monitor sensitive areas. The new version offers the possibility of using other access control mechanisms to monitor access to sensitive areas. This can include card keys or biometric access controls that would provide a date and time stamp upon access to sensitive areas. In addition, the clarification in version 1.2 expands the scope of video monitoring into areas that contain paper files. Many companies contain storehouses full of paper files, which now may require video monitoring as well.

It’s worth noting that standard keys and keypads do not meet the new requirements, as they do not provide the ability to monitor access to sensitive areas. About time this limited control was tossed. It’s not enough to lock the door; you need to know who is accessing the room, and when.

Service providers
Version 1.2 provides more detailed requirements when dealing with service providers (including shared hosting providers) that have access to cardholder data. Businesses must maintain a list of all their cardholder service providers and ensure that the service providers are PCI DSS compliant. This includes monitoring their compliance, maintaining a written contract with the service provider stating that they are responsible for the cardholder data, and establishing a vendor review process when selecting service providers in order to perform due diligence. These requirements force businesses to work closely with their providers and be aware of their service providers’ PCI DSS status. Nice.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: