Wipfli LLP: New credit card protection rules go into effect in 2011

Press Contact

Jennifer Hacker Olsen


[email protected]


Milwaukee, Wis. (February 22, 2011) — If your organization collects, stores, transmits, or processes credit card information, the new year has ushered in some new rules. Updates to the Payment Card Industry Data Security Standard (PCI DSS) were released in late October 2010 and became effective on January 1, 2011. Issued by the PCI Security Standards Council, the recent updates include several changes and new clarifications on how to properly secure online payments and transaction systems. Merchants and organizations will have until the end of 2011 to achieve full compliance with the new updates.

When it comes to the responsibility for preventing cardholder information theft, company size doesn’t matter. PCI DSS is a strong, systematic way to secure cardholder data for any organization that accepts, transmits, or stores any cardholder data, regardless of the company’s size or the number of transactions. It applies across all industries, and it applies even if an organization has a single customer who prefers paying by credit card.

What’s New in 2.0?

The updates primarily build on the 1.2 standards to provide more clarity and guidance while still giving organizations a valuable way to stay current in their risk reduction efforts. Here is a quick summary of a few of the changes:

* Organizations cannot outsource their compliance responsibility to a third party. Even when an organization outsources its PCI environment, it must still ensure that the data is being protected and that the outsourcing vendors are complying with the security standards.

* Clarifies that all locations and flows of cardholder data should be identified and documented. That means all systems, applications, and networks are included in the scope of PCI DSS assessments.

* Virtual servers and cloud computing are included throughout the standard and must now also be deemed PCIcompliant.

* Clarifies key management processes. Encryption key management is now risk-based and no longer subject to a mandatory annual refresh, creating more flexibility around secure key management.

* Applies a risk-based approach for addressing vulnerabilities. Allows vulnerabilities to be ranked

and prioritized according to risk.

To learn more about PCI DSS, please visit http://www.pcisecuritystandards.org or contact Jennifer Hacker Olsen to speak with one of Wipfli’s experts in the Risk Management group at 952.548.3389 or [email protected].

About Wipfli LLP

With over 950 associates and 19 offices in Wisconsin, Illinois, Minnesota, the state of Washington, and two offices in India, Wipfli ranks among the largest accounting and business consulting firms in the nation. Wipfli can advise in all areas of business, from finance and operations to human resources, information technology, and customer relationships. Wipfli’s clients include manufacturers, health care organizations, financial institutions, nonprofit entities, dealerships, contractors and developers, small businesses, and individuals. Wipfli’s 81-year legacy of helping its clients succeed is a point of pride for each of the firm’s partners and associates. For more information, visit http://www.wipfli.com.