The ABC’s of PCI Compliance Continue (Part Three of Series)

Regularly monitor and test networks. All access to network resources and cardholder data must be tracked and monitored, and regular testing of security systems and processes is required.

Maintain an information security policy. The policy must cover every aspect of information security. The newest wrinkles in PCI DSS are additional compliance mandates issued by Visa. One mandate, known as PCI PED (PED stands for PIN entry data) is intended to guard consumer PIN data against theft and to enforce the hardware security of devices that accept consumer PINs and house merchant acquirers’ secret encryption keys. According to PCI PED, merchants that accept PIN-based debit must, as of July 1, 2010, use only PIN pads that meet the Triple Data Encryption Standard (TDES)—in other words, units whose encryption keys encrypt cardholder information several times in the keypad. Before July 1, merchants must also retire all PIN entry devices that have not been certified under the PCI PIN Transaction Security (PCI PTS) program or the older Visa PED program. If your PIN entry devices were manufactured before 2004, they are probably not qualified for use after the July deadline.

Visa has said it won’t fine acquirers for non-compliance with these latest mandates until July 1, 2012. However, acquirers can fine merchants, VARs and ISOs at any time beyond that date. Liability for any breach of an unapproved device after July 1 falls onto merchants’ and acquirers’ shoulders.

Need help meeting PCI requirements? pcAmerica can help you with many facets of PCI compliance, including assistance in procuring devices that adhere to all standards.