Your SaaS & Ecommerce Hosting Experts Sales & Support:  1.877.767.5577

• Tenzing Events
• Site Map
• Contact Us
• • Like Tenzing on Facebook
  • Follow Tenzing on Twitter
  • Tenzing on LinkedIn
  • View Tenzing's News RSS Feed

• Home
• Information
• News Center
• Hosting News Article: June 21, 2010

PCI Compliance: What Is It, and What's New?

Since 2005, major credit card brands have required that merchants and service providers of all sizes involved with the collection and processing of credit card transactions be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). Organizations that are still not compliant are expected to be actively working on achieving compliance. Those that don't make satisfactory progress are subject to penalties that can include substantial fines and the cancellation of processing contracts.

PCI DSS is a collection of standards designed to reduce the possibility for account data compromise and related fraud involving payment cards, like major credit and debit cards. These standards are managed by the PCI Security Council, which in turn is managed by an association of the major credit card brands (Amex, Discover, JCB, Master Card, and Visa). Managing compliance is the job of the member brands and is enforced contractually as well as by your Acquirer (your transaction processor).

Organizations are categorized by the type of payment processing they perform, the volume of transactions or accounts processed, and the payment channels used. Merchants that take payments as well as service providers that process credit card information are grouped in levels based on these secondary factors.

Note that PCI standards extend to payment applications and payment terminals. Organizations looking to implement new payment applications or payment terminals should be aware of the Payment

Application Data Security Standard (PA-DSS), which applies to 3rd party payment applications, as well as of PIN Transaction Security (PTS) hardware standards for PIN entry Devices (PEDs). (Merchants and Service Providers should leverage the list of compliant applications and hardware as a purchasing/leasing tool. See reference links [2] and [3] below.)

What's New in PCI?

PCI regulations have evolved and continue to be updated. In the meantime, deadlines for achieving compliance are looming. Here's what to look for in the next 12 - 18 months:

Currently:

• Organizations not yet compliant are being asked to complete and file quarterly progress updates against the PCI Prioritized Approach document. Smaller merchants not making progress may be fined if they were formally notified of their responsibilities by their Acquirer more than 1 year ago.
• Newly signed merchants and service providers using 3rd party payment applications must use PA-DSS compliant versions to process transactions. Although this is being enforced by the Acquirers, many payment applications have escaped notice until recently and vendors are now scrambling to certify. [1]
• Newly signed merchants and service providers using 3rd party payment applications must use PA-DSS compliant versions to process transactions. Although this is being enforced by the Acquirers, many payment applications have escaped notice until recently and vendors are now scrambling to certify. [1]

2010

• By July 1st: All merchants and service providers with 3rd party payment applications must use PA-DSS compliant versions to process transactions. [1]
• By September 30th: All Level 1 merchants must demonstrate full compliance through an on-site audit and Report on Compliance with a certified PCI Qualified Security Assessor. Fines for non-compliance are expected to begin in October. [4]
• By September 30th: All Approved Scanning Vendors (ASVs) will be changing their processes to comply with new requirements. While the method of scoring and assessing vulnerabilities will not change, there are additional disclosures, special notes, and attestations required by the new processes. Additional effort on the part of merchants and service providers is expected. Finally, the ASV scans will now require a web application vulnerability phase and is expected to find many previously undetected PCI failures. [7]
• By October 1st: Publication of the bi-annual update of the PCI DSS standard (version 1.3). Expect clarifications and some new PCI requirements. [5]

2011

• By January 1st: PCI DSS version 1.2.1 and earlier become obsolete. All assessments must use the newly updated DSS. [5]
• By June 30th: Level 1 merchants conducting their own on-site audits must use internal auditors that train and pass PCI SSC merchant training annually. [6]
• By June 30th: Level 2 merchants must either have an on-site assessment completed by a QSA or if completing the self-assessment questionnaires must use staff that train and pass PCI SSC merchant training annually. [6]

If your organization is wrestling with any of these issues, or to meet a compliance deadline, you'll need the help of a Qualified Security Assessor (QSA) like Control Gap. Control Gap is a 100% Canadian company that secures business networks and protects consumer data, enabling fast & secure commerce, as well as PCI compliance. Established in 1994, Control Gap is QSA certified by the PCI Security Standards Council, and numbers among its clients many major Canadian brand names, as well as medium and small business. For more information on Control Gap, visit www.controlgap.com.

References

• [1] Visa announces global deadlines for PA-DSS (secure 3rd party payment software)
  http://corporate.visa.com/media-center/press-releases/press931.jsp
• [2] PA-DSS certified applications and versions
  https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html
• [3] PTS certified hardware terminals
  https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
• [4] Visa announce global deadline for PCI DSS compliance
  http://corporate.visa.com/media-center/press-releases/press873.jsp
• [5] PCI Standards Council Lifecycle
  https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf
• [6] MasterCard Worldwide Merchant Levels
  http://www.mastercard.com/us/sdp/merchants/merchant_levels.html
• [7] New PCI external vulnerability scanning program
  https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_program_guide.pdf

About Tenzing

Tenzing was founded in 1998 as Canada Web Hosting. The company launched Tenzing to better communicate its award-winning approach to hosting business-critical Internet applications. Canada Web Hosting will continue to provide dedicated hosting services. Tenzing has customer service centers in Kelowna, BC and Toronto, Ontario and Data Centres in Canada's primary NAPs: 151 Front Street, Toronto and the Harbour Centre, Vancouver.

Visit www.tenzing.com for more information or call toll free 1.877.767.5577

For more information, please contact:
Simon Keogh
Tenzing Managed IT Services
sales@tenzing.com
1.877.767.5577