Skip to main content

Digging into PCI 3.0: What shared responsibility means for your business



Adhering to the PCI (Payment Card Industry) standards for protecting card data is everyone’s business. If you process, store or transmit card data, you have to abide by these standards. In 2015, the 3.0 version of the guidelines was released with some important updates. The PCI Security Standards Council published the update as a result of shifting needs in the payments industry and as a response to current market needs in the following areas:

Lack of education and awareness
Weak passwords and authentications by merchants and service providers
Third-party security challenges
Slow self-detection and malware
Inconsistency in assessments
PCI 3.0 requirements became effective in January 2015 and July 2015 (depending on the specific requirements), but some merchants are still unclear on what they mean for their business. Don’t risk being in the dark on compliance requirements and leave your business vulnerable to a data breach. Let’s review what these updates mean for merchants.

What PCI 3.0 means for you and your business processes
It’s critical that you understand the ramifications of PCI 3.0 so you can ensure your business is compliant. The main aspects of the PCI 3.0 updates can be broken down into the following four categories:

Increased awareness and education. PCI 3.0 provides recommendations for best practices for implementation and encourages merchants to hold stricter training and education for their staff. PCI 3.0 stresses the importance for merchants to require their staff regularly update passwords and complete awareness training.
Greater flexibility. PCI 3.0 allows for merchants to better understand the specific underpinnings of each of the PCI requirements, and allows for some flexibility to meet the requirements. Some solutions even have multiple options that allow merchants to achieve the same level of compliance in a variety of ways.
Security as a shared responsibility. Shared responsibility has to do with the fact that multiple departments or entities may be responsible for the security of various aspects of your business systems or networks. PCI 3.0 more clearly defined where responsibility lies in these situations, so it takes away some of the guesswork for merchants. They’ve also provided a Third-Party Security Assurance Information Supplement to help you and your service providers more clearly understand your roles in achieving and maintaining compliance.
Monitor controls continuously. PCI 3.0 reiterates the importance of merchants regularly monitoring and testing their networks and systems for any issues or failures. The new 3.0 version requirement 11.3.4 requires annual penetration tests to validate that their network segmentation methods are operational and effective. Another aspect of PCI 3.0 is requirement 9.9, which calls for merchants to regularly inventory and inspect all physical POS devices so that any tampering can be detected and corrected. In the past, hackers physically tampering with POS devices has been a vulnerability for gaining access to systems containing sensitive data. If you take PCI compliance seriously, then you already know that ongoing maintenance is critical—this aspect of PCI 3.0 simply reinforces that point.
Digging into shared responsibility
The concept of “shared responsibility” is so important to PCI compliance because different entities may be responsible for securing different parts of your systems and networks. This comes into play especially in the event of a breach, when one party may blame another for the weakness that was infiltrated by hackers.

To address the “finger pointing” that can occur in the aftermath of a breach, PCI 3.0 includes new requirements for both merchants and their service providers. Requirement 12.8.5 says that merchants and service providers are both required to formally document who is responsible for which PCI requirements. Requirement 12.9 says that service providers must acknowledge their responsibility for PCI compliance.

Working to combat physical tampering
Data thieves that physically tamper with POS devices have been a concern—and the cause of several major data breaches—in the past. Hackers can easily place skimming devices or hidden cameras on gas station pumps and ATM machines, but they can also tamper with counter top POS terminals with PIN pads. PCI 3.0 requires that merchants regularly inspect all POS devices to ensure that none have been tampered with. It’s important to note that, while POS devices do not need to be locked to an immovable object to meet this requirement, they do need to be diligently checked for security.

Further clarifications in PCI 3.0
Much of PCI 3.0 included clarifications and further details that built on the 2.0 update. As Chris Camejo, Director of Assessment Services at NTT Com Security, says: “While most of the changes are simple clarifications of previous requirements, they could have a major impact on merchants as they touch on everything from the definition of scope and segmentation, to formally documenting responsibilities between merchants and service providers and controls for preventing tampering and skimming at the point-of-sale.” Here are some of those clarifications that you need to understand and put into practice at your company:

PCI 3.0 adds a network diagram that details the required firewall configuration to protect cardholder data. It also adds a diagram that shows the flow of cardholder data through the transaction process.
PCI 3.0 requires merchants to evaluate evolving malware threats for any systems that are not commonly affected by malicious systems. The update expanded its focus to include not only those systems that specifically handle card data, but all business systems that could potentially have access to such valuable data.
PCI 3.0 requires anti-virus software to be running on all computer systems at all times. It cannot be disabled or altered by any user unless your management team specifically authorizes doing so on a per-case basis.
PCI 3.0 requires service providers who have remote access to customer premises to have unique authentication credentials for each customer. This helps to tighten up the security across multiple customers for the same service provider.
PCI 3.0 includes new requirements to protect devices that capture payment card data via swiping (magnetic stripe) or dipping (EMV chip) from tampering and substitution. This prevents card data that has been transmitted directly from a payment card from being manually altered.
Check out the summary of changes that the PCI SSC issued for more details.

Lean on your payments processor for PCI compliance guidance
Being PCI compliant is an ongoing process. To make sure you achieve and maintain your compliance standing, partner with a payments processor that takes compliance seriously and will be there to support you each step of the way. For PCI 3.0 and every other update that comes in the years ahead, make sure you have an experienced partner that can help you understand and meet the requirements will help your business grow and thrive, safely and securely.

#awepay #payments #paymentservices #paymentsolution #paymentsolutions #paymentsmadeeasy #PaymentsWithOutBorders #paymentsystem #paymentsolutionproviders #paymentsystems #ecommerce #ecommerceinsights #event #conference #congres #blockchain #pwa #cryptocurrency #KeshPOS #mPOS #poweredbyinnovectives #thursdaythoughts #bitcoins #Earn #Payments #bitcoin #binarytrade #forex #investment #wealth

Comments

Post a Comment

Popular posts from this blog

Apple Pay is coming to eBay.

As the online marketplace moves away from its official relationship with PayPal, it is moving into new relationships with new providers. As of this fall, Apple Pay will be one of the first new options on its new payment platform, making it possible for customers to either use Apple Pay in eBay’s mobile app, or for web purchases (provided they are using Safari as Apple Pay doesn’t work with Chrome or other browsers). The Apple Pay option will roll out slowly at first — only a small group of select Marketplace customers will get to use Apple Pay in the first phase of its introduction to eBay. The goal, however, is to make the transition to their own in-house payment platform by the end of 2021. The transition marks a definitive split from PayPal. eBay formally parted ways with PayPal in 2015, when it spun out as a stand-alone firm. eBay — as their contractually mandated partnership with PayPal is drawing to a close — is now working with Amsterdam-based company Adyen to...
Post a Comment
Read more

10 ways to protect your customers' credit card data

Accepting credit cards doesn't have to be a constant exercise in paranoia about whether your customers' credit card data is safe or not. Here are 10 solutions for protecting the credit card data of your customers. 1. You can’t go it alone Like anything in life—when there's a lot on your plate, you can't manage it all without help. Card data security, fraud protection and securing your customers’ information in your store is more than a one-person job. It's everyone's job. Get everyone in your business, including your customers, thinking about card data security and fraud at the point of sale. 2. EMV installation You're probably tired of hearing about EMV and chip cards at this point, but if you don't have one, you're putting yourself and your own profits in jeopardy. Chip cards, and the EMV-enabled credit card terminals that can read them, are designed to stop fraud at the point-of-sale. A "forged" card is difficult to pa...
Post a Comment
Read more

A Robust Payment Platform

Owing to the radical evolution of Fintech companies, heightened customer expectations for value-added services, and ever-changing regulatory landscape, the prominence of payment technologies has undeniably risen to new heights. These dynamics are reinvigorating the traditional financial landscape and enabling merchants to tap into the potential benefits of nascent technologies. At the same time, moving away from conventional methods of payments is bringing unprecedented opportunities to carry out international trade for both sellers and buyers. Although the disruption in the payments landscape seems stimulating for global trades, not all ventures gain from them as stringent compliance standards often undermine the use of technologies for cross-border transactions. Enunciating the same, Casey Seow, managing director of AWEpay, mentions that the new breed of technologies is revamping the entire payments space, enabling companies to cater to the untargeted market segments. He f...
Post a Comment
Read more