PCI changes you need to know about

If you are dealing with transactions then there is a good chance you need to know about the (PCI DSS) Payment Card Industry Data Security Standards changes in 2015.

What's the change?

As of the 1st of January 2015 any existing PCI DSS 2.0 compliant vendors will need to update to version three of PCI Securtiy Standards Coucils (PCI SSC) PCI DSS and PA-DSS.

If you are currently PCI compliant and want to ensure you are after the New Year then it is important to read up on all of these changes. However, for a head start Flint has summarised the five most important PCI changes to consider.

5 most important changes:

1. Standardising Pen Test Method

Although the pen test method has always been mandatory for PCI compliance where card data is being transmitted, processed and stored now there needs to be a full process in place for this. Now you must set the method in place and have it agreed with pen testing companies to qualify for PCI compliance.

The method should be documented, followed and must test the control around card holder information security.

2 . Inventory System Components

Companies need to start keeping an inventory for everything-  from hardware (virtual or physical hosts and network devices) to software (custom, commercial, off the shelf applications). Everything must be documented in an inventory, describing the function / use for each.

3. Vendor Relationships

Companies now need to provide documentation about which PCI DSS requirements are managed by vendors rather than the company itself.  Companies must know and document what this vendor or service provider does and where responsibility should lie for controls.

4. Anti –malware

Companies need to identify and evaluate any evolving malware threats for systems not commonly affected by malicious software.

5. Physical Access and Point of Sale

This requires companies to control physical access for on-site personnel to ensure that it is based on their role and is revoked immediately if their contract is terminated. Requirement  9.9 states that companies must “protect devices that capture payment card data…from tampering and substitution.


More Insights