New Credit Card Handling Rules effective Jan 1, 2015

For those businesses that accept credit cards, here is a summary of changes to how you process and store client credit card information.   These rules went into effect January 1, 2015.  These points are important in maintaining compliance with new PCI rules.  Failing to follow these requirements at the least could cost you money and could even suspend or lose your ability to accept cards altogether.

2015 PCI Rules/Requirements Changes

 Requirement - Build and Maintain a Secure Network and Systems

• Install and maintain a perimeter firewall to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security settings

Requirement - Protect Cardholder Data

• Protect stored cardholder data in a secure manner, preferably in encrypted format when stored.
• Encrypt transmission of cardholder data across open, public networks

Requirement - Maintain a Vulnerability Management Program

• Protect all systems against malware and regularly update your
  anti-virus software.

Requirement - Implement Strong Access Control Measures

• Restrict access to cardholder data by business need to know.
• Identify and authenticate access to system components (no more shared user ID’s and passwords!).
• Restrict physical access to cardholder data.

Requirement - Regularly Monitor and Test Your Network

• Create an audit trail system to track and monitor all access to network resources and cardholder data.
• Regularly test your security systems and processes.

Requirement - Maintain an Information Security Policy

• Maintain a policy covering information security for all personnel and make sure all employees follow it.

Requirement - PCI Requirements for Shared Hosting Providers

• If you’re using a third party to process your credit card transaction, those shared hosting providers must protect the cardholder data environment and you should verify their compliance.

Remember also that there are new chip-based credit cards coming this year.  Some of the rules for handling them mean big changes for you too and some dovetail with these rules to shift the consequences for fraudulent use of credit cards to "the most in-secure" party in the transaction stream which could be you if you're not prepared.


Jeff Hoffman is Chief Security Zealot at ACT Network Solutions, a leading IT security provider in Illinois.  He can be reached at jhoffman@act4networks.com.  He is also the author of "Intruders At The Gate - Building an Effective Malware Defense System" which is available at Amazon.com.