The Schellman Blog

Among the many changes in the new PCI DSS v4.0 are those regarding requirement 11.4.4, which refers to the remediation of "exploitable vulnerabilities" and "security weaknesses”—though history has more clearly established what is meant by the former, there may be some confusion concerning the latter as organizations continue to make the transition to the new version.

Well over a year ago, the PCI Standards Council announced, in addition to other requirements, that a PCI charter would now be required for service providers after January 31, 2018. Few service providers have implemented this yet, but all will soon need one to maintain or achieve PCI compliance.

This month, Wal-Mart Stores Inc. sued Visa Inc. for the right to require customers to enter a PIN when using a chip-based debit card. Currently, customers have the option to pass on entering a PIN and write a signature instead. The problem with that, according to Wal-Mart, is that merchants like Wal-Mart must pay about an additional five cents per signature transaction. The Wall Street Journal reports that as the most frequently used form of payment at Wal-Mart, debit card transactions account for 70% of the dollar value of card payments for the retail giant.

Coming in April 2016, the PCI Security Standards Council (SSC) is releasing an incremental update to the PCI DSS in version 3.2. As an incremental update, there are minor changes to the PCI DSS requirements but some of the changes are significant. To the community who implement the PCI DSS, here’s what you need to know:

The PCI Security Standards Council (SSC) recently published an information supplement on third-party security assurance that provides a set of guidelines for understanding how to manage third-party service provider (TPSP) relationships and PCI DSS compliance requirements. The guidance applies to entities who use or are considering the use of TPSPs and to the TPSPs themselves, who have access to, or can impact the security of cardholder data (CHD) or the cardholder data environment (CDE). The SSC defines an entity as any organization that has the responsibility to protect card data and may leverage a TPSP to support them in card-processing activities or to secure card data.

The media has been filled with stories of high profile credit card breaches, including those from Target, Neiman Marcus, P.F. Chang’s and most recently Home Depot. Details on the Home Depot breach are still emerging, but the details around the Target and Neiman Marcus breaches are well known and causing the public to ask if it will happen again?

PCI levels are categories that the PCI Security Standards Council (SCC) and card brands (VISA, MasterCard, American Express, Discover, and JCB) use to determine PCI compliance validation and reporting requirements for both merchants and service providers. The levels are numbered 1 through 4, with 1 at the highest level.