Visa Europe have recently announced that retailers that are using chip and PIN at a store level only have to complete milestones 1 and 2 in order to validate their compliance.
Furthermore, if the retailer extends compliance to cover milestones 3 and 4, they would be exempt from any penalties in the event of data compromise.
More information here – (and subject to a few exceptions).
There has been an informal understanding between QSAs and the card brands on this for a while now, so it is good to see it finally in writing and a date proposed (30 April 2011) from when this takes formal affect.
I've long been against the implementation of store-level security controls, that often appear excessive. The implications of the TIP are that the following store-level controls are no longer required (milestones 5 and 6), as long as the programme is correctly understood and adhered to:
* Firewall configuration standards
* Encryption of card data and key management
* Change control procedures
* Physical security and employee/visitor badges
* Audit trail security
* Quarterly wireless scans
* Penetration testing
* Information Security Policy
This leaves the following core controls for POS devices, on the basis that either card data is stored or transmitted in the clear:
* Segmentation
* Hardened OS
* Anti-virus
* Secure applications
* Strict access control
* Local audit logging
* Vulnerability scans/patch management
* IDS/IPS
* File integrity monitoring
With a good end point security product, you can combine several of these and heavily reduce operational cost, if that's your lot and you cannot persuade the business to stop storing card numbers in stores (fair enough, there are many reasons to do so).
Do remember that tokenisation and end to end encryption solutions can take the POS out of scope completely, so do bear this in mind.
If you are planning to roll out a significant level of POS controls, just for the sake of PCI DSS, then stop now and rethink!