Did you know that PCI specifications have versions just like software? The newest version, PCI 2.0, became effective on January 1st. The good news is that most PCI 2.0 changes do not add to your "to do" list. They simply clarify existing requirements.
However, one clarification will introduce additional steps to your compliance process. PCI 2.0 requires that merchants not only document their Cardholder Data Environment, but also demonstrate that their definition of CDE accurately reflects all the places where cardholder data is handled. After all, it's hard to be "compliant" without knowing the full extent of your payment card activity on campus. Here's how to approach documenting your CDE.
Define......... First, create an accurate inventory of all campus merchants and the scope of their activity (i.e., your CDE). Then prepare written documentation defining those areas where cardholder data is captured, transmitted, or stored.
Validate....... Then, test your CDE to ensure all sensitive cardholder data is being properly protected, including encryption of any cardholder data at rest.
Prove.......... Finally, implement a process for finding cardholder data "leakage" outside of the defined CDE. The challenge is to demonstrate that no cardholder data resides in your systems except within your defined scope.
The last step is the CDE "gotcha." How are you going to prove that your CDE is really your CDE? This can be especially difficult in a college or university environment with its diverse and disparate merchant activity. The specification doesn't require using an automated search tool, but the reality is you will probably need one. So, it's time to put "CDE scoping" on your radar. I suspect you'll be hearing a lot more about CDEs in the coming months and years.
Thanks for reading.
PS: You can find full versions of the new PCI 2.0 standards, as well as summaries of changes, at the PCI Council's website . You can also contact us directly with questions about the updated PCI standards