PCI Data Security Standard version 1.2 now active.

As of October 1, 2008 the PCI Data Security Standard version 1.2 became active. There are a number of changes to PCI DSS since version 1.1. Version 1.2 removes much of the ambiguity from earlier versions and provides additional details on items such as the use wireless devices.

One of the largest and possibly most hard hitting change is how the the certification process is placing an increasing amount of scrutiny on level 3 and 4 merchants. If you process credit cards and have not received any notification from your merchant bank regarding PCI DSS compliance, you will soon.

I will not attempt to cover all of the details of the new standard but will say if your company handles any cardholder data, it is important to get your infrastructure into compliance with PCI DSS.

PCI DSS 1.2 specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.

The control objectives and their requirements are:

• • Build and Maintain a Secure Network
    1. 1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    1. 1. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• • Protect Cardholder Data
    1. 1. Requirement 3: Protect stored cardholder data
    1. 1. Requirement 4: Encrypt transmission of cardholder data across open, public networks

• • Maintain a Vulnerability Management Program
    1. 1. Requirement 5: Use and regularly update anti-virus software
    1. 1. Requirement 6: Develop and maintain secure systems and applications

• • Implement Strong Access Control Measures
    1. 1. Requirement 7: Restrict access to cardholder data by business need-to-know
    1. 1. Requirement 8: Assign a unique ID to each person with computer access
    1. 1. Requirement 9: Restrict physical access to cardholder data

• • Regularly Monitor and Test Networks
    1. 1. Requirement 10: Track and monitor all access to network resources and cardholder data
    1. 1. Requirement 11: Regularly test security systems and processes

• • Maintain an Information Security Policy
    1. 1. Requirement 12: Maintain a policy that addresses information security

Each control objective contains additional details on what is required to meet the objective and requires a detailed study to fully understand them and their impact on your existing infrastructure. Smaller companies have the option to use a self-certification questionnaire but even this can be difficult and time consuming.

ZZ Servers has fully qualified security assessors and partnerships with PCI ASV/QSA’s for all levels PCI certification, required security scans and full level 1 PCI audit validation. Contact us today so we can can assist with your adaption of PCI DSS in your environment and ensure your full compliance with these comprehensive regulations. Let us help you prepare and prevent the damaging costs of a data breach.

Peter Zendzian
Managing Partner
ZZ Servers, LLC
www.zzservers.com
800-796-3574