One major change to PCI version 1.2 is the new requirements and testing procedures for Req. 12.8. 12.8 deals with how merchants and service providers should handle their third parties that can affect the security of cardholder data. The card brands have told us in the past that they would not expect a service provider to prevent a merchant from being compliant, but that the merchant must understand that they will carry the liability for a breach at their service provider’s site.

We’ve seen 12.8 morph considerably from PCI version 1.0 to 1.2. The intent was to help merchants understand how service providers deal with their data, and make sure that they are protected if there is a breach at their service provider. I still believe that the intent is the same, but the language around the requirement and testing procedure has been relaxed slightly, but still points out the liability. This means that you may not have to alter that master services agreement that was originally inked in 1979, but that legal on both sides must be made aware of the stakes involved.

There are a couple of industries that have unique problems as it relates to PCI. One of those industries is the travel industry (shout out to Yvette!). The service providers that they rely on provide some infrastructure (such as common use terminals, or shared ticket counter or gate space) that is virtually unmaintained, and the airports have been unwilling to put any additional support into these systems. Thus, the contracts do not mention anything about data security or PCI, and would not be compliant under PCI 1.1.

Now with PCI 1.2, the travel industry has a way to deal with these common use areas in a manner that does not affect their compliance. Security is still definitely an issue, but this is another one of those issues where you don’t want to totally rely on PCI Compliance to keep you breach free.

This post originally appeared on

Possibly Related Posts: