-- Merchants now have the ability to answer a question with "N/A," but
must complete Appendix D "Explanation of "Non-Applicability" if this option
is selected
-- "Compensating Control Used" can now be considered for most PCI DSS
requirements when an entity cannot meet requirement explicitly as stated,
due to legitimate technical or business constraints, but has sufficiently
mitigated the risk associated with the requirement through implementation
of other, or compensating controls. Merchants must also complete the
Appendix C "Compensating Controls Worksheet" if this option is selected.
SAQ Form B:
-- Requirement 4 (Encrypt transmissions of cardholder data across open,
public networks) - Expands the scope of sending sensitive data via
encrypted emails to include all end-user messaging technologies such as
email, instant messenger and chat.
-- Requirement 9 (Restrict physical access to cardholder data) -
Qualifies that destruction of cardholder data must ensure that the
information cannot be reconstructed.
-- Requirement 12 (Maintain a policy that addresses information security
for employees and contractors) - Changed the list of critical employee
media to include email and Internet usage, laptops and personal
data/digital assistants (e.g., PDAs).
SAQ Form C:
-- Requirement 1 (Install and maintain a firewall configuration to
protect data) - Provides clarification around firewall requirements.
-- Requirement 2 (Do not use vendor-supplied defaults for system
passwords and other security parameters) - Modifies setting requirements
around wireless devices.
-- Requirement 5 (Use and regularly update anti-virus software or
programs) - Clarifies that anti-virus software must be capable of
detecting, removing and protecting against all know forms of malicious
software.
-- Requirement 6 (Develop and maintain secure systems and applications) -
Changes patching requirement from 30 days to one month and now allows for
risk-based patching approach.
-- Requirement 11 (Regularly test security systems and processes) -
Allows for the use of wireless IDS/IPS to identify wireless devices in use.
SAQ Form D:
-- SAQ Form D is the most affected variant in version 1.2. While there
are no sea changes, version 1.2 refines and clarifies many of the questions
from the D form.
Several years ago when the PCI Data Security Standards (PCI DSS) launched,
the main focus was to drive PCI compliance among the large merchant
community (typically Level 1 as specified by VISA). Now that approximately
80% of these large merchants are in or nearing compliance, the focus has
shifted to smaller merchants, which represent 98% of all merchants (Level 4
as specified by VISA).
"We understand the challenges smaller merchants face every day when it
comes to PCI compliance and security -- we're the only company that has
been on their side from the beginning," said Herbig, "Smaller merchants
often lack the understanding and technical resources to comply with the
standard, which is why the PCI compliance solutions we've built anticipated
the specific needs of the small merchant, and we provide one-on-one support
(essentially holding their hands) throughout the entire process."
About PCI Compliance Provider ControlScan
Headquartered in Atlanta, Georgia, ControlScan provides Payment Card
Industry (PCI) compliance and security solutions designed exclusively for
small- to medium-sized e-commerce and retail businesses. The company's
Verified Secure solutions make it easy and cost-effective for these
businesses to protect their infrastructure and help keep their Websites
safe so shoppers can purchase with confidence. ControlScan is the security
solution of choice for smaller merchants because it offers security
solutions that fit their specific needs, a personal level of service and
the best value. For more information about ControlScan visit
www.controlscan.com or call 1-800-825-3301.
Contact Information: Contacts: ControlScan, Inc. Heather Varian Foster 678-279-2644