Skip to main content

Digging into PCI 3.0: What shared responsibility means for your business



Adhering to the PCI (Payment Card Industry) standards for protecting card data is everyone’s business. If you process, store or transmit card data, you have to abide by these standards. In 2015, the 3.0 version of the guidelines was released with some important updates. The PCI Security Standards Council published the update as a result of shifting needs in the payments industry and as a response to current market needs in the following areas:

Lack of education and awareness
Weak passwords and authentications by merchants and service providers
Third-party security challenges
Slow self-detection and malware
Inconsistency in assessments
PCI 3.0 requirements became effective in January 2015 and July 2015 (depending on the specific requirements), but some merchants are still unclear on what they mean for their business. Don’t risk being in the dark on compliance requirements and leave your business vulnerable to a data breach. Let’s review what these updates mean for merchants.

What PCI 3.0 means for you and your business processes
It’s critical that you understand the ramifications of PCI 3.0 so you can ensure your business is compliant. The main aspects of the PCI 3.0 updates can be broken down into the following four categories:

Increased awareness and education. PCI 3.0 provides recommendations for best practices for implementation and encourages merchants to hold stricter training and education for their staff. PCI 3.0 stresses the importance for merchants to require their staff regularly update passwords and complete awareness training.
Greater flexibility. PCI 3.0 allows for merchants to better understand the specific underpinnings of each of the PCI requirements, and allows for some flexibility to meet the requirements. Some solutions even have multiple options that allow merchants to achieve the same level of compliance in a variety of ways.
Security as a shared responsibility. Shared responsibility has to do with the fact that multiple departments or entities may be responsible for the security of various aspects of your business systems or networks. PCI 3.0 more clearly defined where responsibility lies in these situations, so it takes away some of the guesswork for merchants. They’ve also provided a Third-Party Security Assurance Information Supplement to help you and your service providers more clearly understand your roles in achieving and maintaining compliance.
Monitor controls continuously. PCI 3.0 reiterates the importance of merchants regularly monitoring and testing their networks and systems for any issues or failures. The new 3.0 version requirement 11.3.4 requires annual penetration tests to validate that their network segmentation methods are operational and effective. Another aspect of PCI 3.0 is requirement 9.9, which calls for merchants to regularly inventory and inspect all physical POS devices so that any tampering can be detected and corrected. In the past, hackers physically tampering with POS devices has been a vulnerability for gaining access to systems containing sensitive data. If you take PCI compliance seriously, then you already know that ongoing maintenance is critical—this aspect of PCI 3.0 simply reinforces that point.
Digging into shared responsibility
The concept of “shared responsibility” is so important to PCI compliance because different entities may be responsible for securing different parts of your systems and networks. This comes into play especially in the event of a breach, when one party may blame another for the weakness that was infiltrated by hackers.

To address the “finger pointing” that can occur in the aftermath of a breach, PCI 3.0 includes new requirements for both merchants and their service providers. Requirement 12.8.5 says that merchants and service providers are both required to formally document who is responsible for which PCI requirements. Requirement 12.9 says that service providers must acknowledge their responsibility for PCI compliance.

Working to combat physical tampering
Data thieves that physically tamper with POS devices have been a concern—and the cause of several major data breaches—in the past. Hackers can easily place skimming devices or hidden cameras on gas station pumps and ATM machines, but they can also tamper with counter top POS terminals with PIN pads. PCI 3.0 requires that merchants regularly inspect all POS devices to ensure that none have been tampered with. It’s important to note that, while POS devices do not need to be locked to an immovable object to meet this requirement, they do need to be diligently checked for security.

Further clarifications in PCI 3.0
Much of PCI 3.0 included clarifications and further details that built on the 2.0 update. As Chris Camejo, Director of Assessment Services at NTT Com Security, says: “While most of the changes are simple clarifications of previous requirements, they could have a major impact on merchants as they touch on everything from the definition of scope and segmentation, to formally documenting responsibilities between merchants and service providers and controls for preventing tampering and skimming at the point-of-sale.” Here are some of those clarifications that you need to understand and put into practice at your company:

PCI 3.0 adds a network diagram that details the required firewall configuration to protect cardholder data. It also adds a diagram that shows the flow of cardholder data through the transaction process.
PCI 3.0 requires merchants to evaluate evolving malware threats for any systems that are not commonly affected by malicious systems. The update expanded its focus to include not only those systems that specifically handle card data, but all business systems that could potentially have access to such valuable data.
PCI 3.0 requires anti-virus software to be running on all computer systems at all times. It cannot be disabled or altered by any user unless your management team specifically authorizes doing so on a per-case basis.
PCI 3.0 requires service providers who have remote access to customer premises to have unique authentication credentials for each customer. This helps to tighten up the security across multiple customers for the same service provider.
PCI 3.0 includes new requirements to protect devices that capture payment card data via swiping (magnetic stripe) or dipping (EMV chip) from tampering and substitution. This prevents card data that has been transmitted directly from a payment card from being manually altered.
Check out the summary of changes that the PCI SSC issued for more details.

Lean on your payments processor for PCI compliance guidance
Being PCI compliant is an ongoing process. To make sure you achieve and maintain your compliance standing, partner with a payments processor that takes compliance seriously and will be there to support you each step of the way. For PCI 3.0 and every other update that comes in the years ahead, make sure you have an experienced partner that can help you understand and meet the requirements will help your business grow and thrive, safely and securely.

#awepay #payments #paymentservices #paymentsolution #paymentsolutions #paymentsmadeeasy #PaymentsWithOutBorders #paymentsystem #paymentsolutionproviders #paymentsystems #ecommerce #ecommerceinsights #event #conference #congres #blockchain #pwa #cryptocurrency #KeshPOS #mPOS #poweredbyinnovectives #thursdaythoughts #bitcoins #Earn #Payments #bitcoin #binarytrade #forex #investment #wealth

Comments

Post a Comment

Popular posts from this blog

5 MAJOR BENEFITS OF MOBILE PAYMENTS

Author: Awepay When customers come to the register to pay for their meal or purchases, many can now simply hold up their mobile phones instead of handing over dollar bills or pulling out a credit card. Since mobile payment programs are relatively inexpensive and don’t require sophisticated technical knowledge to implement, many small businesses have been quick to adopt the new technology. “Mobile has really taken away the requirement that you have to build big systems and be a large company to be successful with technology,” says Gene Signorini, the vice president of mobile insights at Mobiquity. “In many ways, it is easier for small businesses to adopt mobile payment programs because they don’t have a large infrastructure to work through so small businesses can jump right in.” Here are five ways offering a mobile payment to your customers will help you increase sales: Integrate and increase incentive programs. One of the biggest benefits of using a mobile payment option i...
Post a Comment
Read more

12 Startups Utilizing Blockchain Technology in New Ways

Author: Awepay Cryptocurrency created quite the buzz this past year. Although the technology has been around for a few years, 2017 was the year it really took off. Bitcoin, the first application of cryptocurrency technology, hit $20,000 a coin, while coins like Ethereum also saw their prices increase. However, the technology behind these tokens, blockchain, has far more applications than just cryptocurrencies. Through a network of smart contracts that operate utilizing decentralized information on a ledger, blockchain is able to provide unmatched security and speed for data transfers. This means that blockchain technology has an application in nearly every industry where value is exchanged. For this reason, many startups have started to explore how this technology can change the way the world works. Here are twelve of those startups, each of which are utilizing blockchain technology in new ways. Related: 10 Reasons Why Good Customer Service Is Your Most Important Metric ...
6 comments
Read more

How to Keep Payment Fees Low for Your Small Business

( #Awepay #PaymentGateway ) The best part of business is getting paid, but getting paid isn’t always as easy or simple as it should be. In addition to figuring out the logistics of how to get paid, you may have to pay multiple vendors different payment processing fees. Those fees can add up fast. But you have options that can help keep things simple while lowering your fees. Read on to learn more. Integrated vs. non-integrated payment processors Both online and offline card payments require a series of important steps to complete. The ability to accept cards online requires both a merchant account and a payment gateway. A merchant account is kind of like a bank account used to aggregate payments from credit cards, debit cards and sometimes ACH payments. A payment gateway is a system used to process payments, generally online, that feeds into the merchant account. Thanks to the magic of online business, you can sign up for a two-in-one package to accept payments online. For a ...
Post a Comment
Read more