The new PCI (Payment Card Industry) Data Security Standards, Release 1.2 came out in October, and are worth taking a look. They’ve added some updated recommendations (like getting rid of WEP entirely by 2010), and I especially liked some of the following features:
Compensating controls must be reviewed, documented and validated by an assessor annually. A compensating control worksheet must be completed for each compensating control. These changes emphasize the council’s intent to make it more difficult for merchants to use compensating controls rather than meeting the requirements of the DSS.
I like this; a control is a control – a compensating control is not meant to be a permanent solution.
Monitoring sensitive areas: Version 1.1 required the use of video cameras to monitor sensitive areas. The new version offers the possibility of using other access control mechanisms to monitor access to sensitive areas. This can include card keys or biometric access controls that would provide a date and time stamp upon access to sensitive areas. In addition, the clarification in version 1.2 expands the scope of video monitoring into areas that contain paper files. Many companies contain storehouses full of paper files, which now may require video monitoring as well.
It’s worth noting that standard keys and keypads do not meet the new requirements, as they do not provide the ability to monitor access to sensitive areas. About time this limited control was tossed. It’s not enough to lock the door; you need to know who is accessing the room, and when.
Version 1.2 provides more detailed requirements when dealing with service providers (including shared hosting providers) that have access to cardholder data. Businesses must maintain a list of all their cardholder service providers and ensure that the service providers are PCI DSS compliant. This includes monitoring their compliance, maintaining a written contract with the service provider stating that they are responsible for the cardholder data, and establishing a vendor review process when selecting service providers in order to perform due diligence. These requirements force businesses to work closely with their providers and be aware of their service providers’ PCI DSS status. Nice.