Credit card data regulation revises self-assessment
By Miya Knights,
The payment card industry data security standard (PCI DSS) has today been given an updated validation tool to help companies handling customer credit card transactions become compliant with its regulations.
Visa, MasterCard and American Express introduced the standard in 2005 to make organisations that have transactional systems handling credit cards protect the storage of and access to that financial customer data.
The PCI Security Standards Council, which took over the administration of the standard from the credit card companies in January 2006, has updated the self-assessment questionnaire (SAQ) first produced for organisations to measure their levels of PCI DSS compliance.
Bob Russo, general manager of PCI Security Standards Council told IT PRO the SAQ had been re-designed so the 100-plus questions version 1 contained could be simplified for those merchants who are not required to have onsite assessment to protect payment card data.
"With the introduction of the updated SAQ, merchants will now have a better understanding of the steps necessary to secure their payment data and comply with the PCI DSS," he said.
Version 1.1 of the SAQ now contains four distinct forms, applicable to either merchants who have outsourced all cardholder data storage, processing and transmission; merchants who process cardholder data via imprint machines or standalone dial-up terminals only; or merchants whose payment applications systems are connected to the internet.
Running to between 20 and 30 questions each, these new forms A-C are intended to replace form D, which still runs to over 100 questions, but which has also been re-aligned with the PCI standard. Merchants not in categories A to C respectively will still be required to complete the more comprehensive form D.
"We're talking mostly about smaller merchants here," added Russo. "And so we've also added most extensive guidelines to help smaller businesses stay compliant and concentrate on what they do best, which is trading."
A set of frequently asked questions is also available with the SAQ instruction and guideline document on the Council's website to ensure merchants and transaction service providers can more easily determine which SAQ is the proper tool for them to use in confirming PCI DSS compliance.
Russo added: "Having multiple SAQs available will streamline the process and make it easier for stakeholders to determine their compliance gaps and take action to ensure full compliance with the Standard."
Non-compliant companies that suffer customer credit data breaches are liable for large fines and may have their credit processing capability stopped by their credit card company.
advertisement
Latest Internet Features
The continued curse of cybersquatting
For some, it’s a problem confined to the early days of the Internet. But current figures suggest that the cybersquatting problem is, if anything, growing.
- Where next for Microsoft, Yahoo and Google?
- Top 10 mobile features of 2009
- Top 10 security predictions for 2009
- Top 10 reviews of 2008
- The year in IT news
- Top 10 security stories of 2008
- Top 10 business phones of 2008
- 15 tech charities that need your help
- PCI's Bob Russo: Data loss hurts brand more than a fine
Latest Internet Reviews
Fujitsu Siemens FibreCAT SX80 iSCSI
Rating: 
advertisement
Latest News Videos in Internet
Video: Q&A with Easynet Connect's Chris Stening
PlayIT PRO spoke to Chris Stening, managing director of Easynet’s SME division, about whether ISPs are giving businesses the service they deserve.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?