Obtaining your PCI compliance and maintaining your PCI compliance should now be a standard part of your business security plan. Just like seatbelts and locks for your automobile, you have to protect your credit card processing service and your customers who use credit cards. All merchants will be required to update their PCI compliance SAQ (self-assessment questionnaire) to the new version 2.0. This new version has been updated to keep pace with the dynamic evolution of fraud perpetrating technologies and software products.
For many merchants, it won’t be much of a stretch and only minor changes have been made. For SAQ B (used for non-IP connected authorization equipment that does NOT store cardholder data) the changes include some fleshed out explanations of the requirement goals and 3 additional questions regarding your data protection methods. If you’ve been PCI compliant from the start, the transition from SAQ B V1.2 to SAQ B V2.0 should be simple as long as you haven’t changed from using a stand-alone dial up terminal that settles daily.
For merchants who use IP communicating devices or an internet connection, there will be more changes and protection methods to update and employ on your network. As a merchant processing credit cards, it is imperative that you protect your cardholders’ data, both when stored and when in transit. SAQ C V2.0 and SAQ D V2.0 will need to be carefully reviewed and all new firewall protection and software updates or patches implemented. To be PCI compliant, these merchants will at a minimum need:
- A firewall intrusion prevention system
- A vulnerability scanner for quarterly scanning
- A database activity monitoring system or application monitoring system to protect and monitor log in access history to stored sensitive authentication data
- For audit purposes, a log management for secure storage of all logs
- Some type of security information and event management software
There are some decisions to be made as to how you will approach the new requirements that we’ll touch on next week. See our homepage for more information & instructions on how to make your business PCI compliant today, for free!