Last October, the PCI Security Standards Council (SSC) released version 1.2 of the PCI Data Security Standards (PCI DSS). The update includes feedback on how lodging and hospitality organizations deploy security requirements. More than 2,500 queries and suggestions were considered.

Over the past two years, the SSC solicited feedback from stakeholders to improve the standards, thus helping to protect cardholder data and easing compliance.

Version 1.2 fulfills the following PCI Data Security Standards:

• Provides greater clarity on PCI DSS requirements

• Offers improved flexibility

• Manages any evolving risks and threats

• Incorporates existing and new best practices

• Clarifies scoping and reporting

• Eliminates redundant sub-requirements

• Consolidates documentation

When combined with the data security standards and tools added by the Council within the last year, these revisions will help businesses better understand and develop practices that protect payment data and prevent fraud.

WHAT YOU NEED TO KNOW

Version 1.2 does not introduce new requirements; rather it provides consistent use of terms and greater flexibility, such as decreasing mandatory review of firewalls from a minimum of every 3 months to every 6 months. One significant change concerns the sunset date for the use of Wired Equivalent Privacy (WEP).

New implementations of WEP are disallowed after March 31, 2009, and any use of WEP must be discontinued after June 30, 2010. Keep in mind, this is only for wireless networks that transmit cardholder data or connect to the cardholder-data environment. Many lodging organizations that offer wireless service for guests do so without processing, transmitting or storing cardholder data. As long as guest wireless service is separate from the cardholder data environment, the PCI DSS assessment does not apply.

Another requirement clarified in the release concerns the physical security of primary account numbers. Both electronic and paper forms must be protected, as well as removable electronic media. For lodging establishments keeping copies of the PAN, Requirement 9 addresses physical protection of cardholder data. Beyond changes to the standards, the Council has greatly enhanced communication, education and interpretation of the 12 security requirements.

*The author, Troy Leach, is technical director for the PCI Security Standards Council. For more information on the PCI Security Standards Council or on becoming a participating organization, visit www.pcisecuritystandards.org or email participation@pcisecuritystandards.org..