Effective Jan. 1, merchants and payments companies must ensure their systems comply with versions 2.0 of the Payment Card Industry and Payment Application data-security standards the PCI Security Standards Council released Oct. 28.
Neither of the updated standards designed to protect sensitive cardholder data brings dramatic change, Bob Russo, PCI council general manager, tells ISO&Agent Weekly.
The changes include improved definitions of the secure boundaries between a merchant’s Internet connection and the cardholder data, and recognition that issuers have a legitimate need to store sensitive authentication data.
The changes also enable merchants to rank and prioritize security vulnerabilities. The ranking and prioritizing change gives merchants better control, Russo says.
In another change, the standard clarifies how weaknesses in wireless access points may be determined. It now allows wireless network scans and inspections or similar methods that will draw out a weak spot in the system.
“The standards are maturing,” Russo says, noting merchants increasingly have accepted their compliance roles. “People realize what needs to be done and how to comply with it.”
But one group of merchants–the smallest–continues to struggle with PCI-compliance issues, he says. Many small merchants, for example, are unsure which self-assessment questionnaire to use, Russo says. These questionnaires are designed to ferret out weak spots in a merchant’s payment scheme.
“Very often we found that smaller merchants went with a bigger [self-assessment questionnaire], and half of their responses had ‘not applicable’ written in,” Russo notes.
The council intends to put more emphasis on educating small merchants to avoid such confusion, he says. “We have to help them understand what it means to be compliant, how to become compliant and what could possibly happen” if they do not, Russo says.
As part of that effort, the council redesigned its website. As of Oct. 28, all of the council’s materials for small businesses are located in one location on the site, Russo says. The information previously was scattered in various locations and often was difficult to locate, he notes.
“We continue to understand the biggest impediment to [merchants’] complying is an education issue,” Russo notes.
The Wakefield, Mass.-based council launched version 1.1 of the PCI DSS in 2006 and added the PA-DSS to its domain in 2007.
The council earlier this year also updated its PIN Transaction Security standard, and it put all three of its standards on three-year lifecycles to give merchants more time to work with them.