Changes are Coming for CHD

The PCI Security Standards Council is ready to introduce new standards this October.  A summary of the proposed changes was published recently on their site.  The changes when enacted will take effect right away and companies need to prepare for them.  The changes, while not major, clarify several points that are redundant or otherwise gray and add some more security. What are you doing for ongoing security to maintain PCI?  PCI is not a typical regulation, meaning it is actively enforced.  Private industry has designed the standards and requires companies to be compliant.  Noncompliance will result in revocation of your ability to process credit and debit transactions.

Protecting CHD is not hard.  Basic security practices just need to be followed in a timely manner.  Here is a summary of all 12, in regular terms.

  • Build and Maintain a Secure Network – Have firewall, change passwords, etc.
  • Protect Cardholder Data – Don’t store data in the open.  CHD is the credit card numbers, Expiration, name, etc.
  • Maintain a Vulnerability Management Program – This refers to having AV, malware protection, develop and maintain secure systems (i.e. don’t use the homemade application your cousin made for you 12 years ago).
  • Implement Strong Access Control Measures – Keep people from accessing the information unless they need it.
  • Regularly Monitor and Test Networks – You can’t set a network up and walk away.  You should be assessing regularly and making sure nothing is out of the ordinary.
  • Maintain an Information Security Policy – Maintain security policies so your data doesn’t walk off.  All the products in the world will not keep you secure if you don’t use policies around them.  Train your employees or hire someone too.  They don’t think about these things like you do.

Summary of Changes

Video of Requirements