If you read last week’s blog then you know that there is a new version of the PCI DSS (payment card industry data security standard) SAQ (self-assessment questionnaire) version 2.0. You should also know that there are some decisions to be made for merchants processing using an IP connected device. Some of the changes for firewall protection and other security concerns will be more significant for these merchants.
Changes will include clarifications on: the applicability of card holder data and PCI DSS; scoping and locations for card holder data environments; virtualization recommendations; boundaries between card holder data environments and the internet and more on DMZs; key management process changes; consolidating secure coding; moving, copying and storing card holder data; and when addressing data security vulnerable areas assuming a risk based approach.
There are not as many changes to the PA DSS (payment application data security standard) but the changes have a greater impact. There is new guidance on remote update and access to payment applications as well as for end user terminals running payment applications. To bring the PA DSS requirement 4.4 into full alignment with PCI requirement 10.5.3, it now specifies that payment applications must support centralized logging.
This is the most significant change to the PA DSS and for payment application vendors, this will require the provision of detailed logs. The PA DSS requirements give further details as to the parameters to be met. For merchants using payment applications, the PCI DSS requirement that corresponds with the PA DSS states that the log outputs have to be centrally collected and managed. Incorporating log management products will be essential to achieve PCI compliance.
Remember, PCI compliance isn’t just for the protection of your business, but the protection of your customers and ultimately the integrity of the electronic payments industry as a whole. See our home page for information on how to register your business PCI compliant for free!