Adhering to the PCI (Payment Card Industry) standards for
protecting card data is everyone’s business. If you process, store or transmit
card data, you have to abide by these standards. In 2015, the 3.0 version of
the guidelines was released with some important updates. The PCI Security
Standards Council published the update as a result of shifting needs in the
payments industry and as a response to current market needs in the following
areas:
Lack of education and awareness
Weak passwords and authentications by merchants and service
providers
Third-party security challenges
Slow self-detection and malware
Inconsistency in assessments
PCI 3.0 requirements became effective in January 2015 and
July 2015 (depending on the specific requirements), but some merchants are
still unclear on what they mean for their business. Don’t risk being in the
dark on compliance requirements and leave your business vulnerable to a data
breach. Let’s review what these updates mean for merchants.
What PCI 3.0 means for you and your business processes
It’s critical that you understand the ramifications of PCI
3.0 so you can ensure your business is compliant. The main aspects of the PCI
3.0 updates can be broken down into the following four categories:
Increased awareness and education. PCI 3.0 provides
recommendations for best practices for implementation and encourages merchants
to hold stricter training and education for their staff. PCI 3.0 stresses the
importance for merchants to require their staff regularly update passwords and
complete awareness training.
Greater flexibility. PCI 3.0 allows for merchants to better
understand the specific underpinnings of each of the PCI requirements, and
allows for some flexibility to meet the requirements. Some solutions even have
multiple options that allow merchants to achieve the same level of compliance
in a variety of ways.
Security as a shared responsibility. Shared responsibility
has to do with the fact that multiple departments or entities may be
responsible for the security of various aspects of your business systems or
networks. PCI 3.0 more clearly defined where responsibility lies in these
situations, so it takes away some of the guesswork for merchants. They’ve also
provided a Third-Party Security Assurance Information Supplement to help you
and your service providers more clearly understand your roles in achieving and
maintaining compliance.
Monitor controls continuously. PCI 3.0 reiterates the
importance of merchants regularly monitoring and testing their networks and
systems for any issues or failures. The new 3.0 version requirement 11.3.4
requires annual penetration tests to validate that their network segmentation
methods are operational and effective. Another aspect of PCI 3.0 is requirement
9.9, which calls for merchants to regularly inventory and inspect all physical
POS devices so that any tampering can be detected and corrected. In the past,
hackers physically tampering with POS devices has been a vulnerability for
gaining access to systems containing sensitive data. If you take PCI compliance
seriously, then you already know that ongoing maintenance is critical—this
aspect of PCI 3.0 simply reinforces that point.
Digging into shared responsibility
The concept of “shared responsibility” is so important to
PCI compliance because different entities may be responsible for securing
different parts of your systems and networks. This comes into play especially
in the event of a breach, when one party may blame another for the weakness
that was infiltrated by hackers.
To address the “finger pointing” that can occur in the
aftermath of a breach, PCI 3.0 includes new requirements for both merchants and
their service providers. Requirement 12.8.5 says that merchants and service
providers are both required to formally document who is responsible for which
PCI requirements. Requirement 12.9 says that service providers must acknowledge
their responsibility for PCI compliance.
Working to combat physical tampering
Data thieves that physically tamper with POS devices have
been a concern—and the cause of several major data breaches—in the past.
Hackers can easily place skimming devices or hidden cameras on gas station
pumps and ATM machines, but they can also tamper with counter top POS terminals
with PIN pads. PCI 3.0 requires that merchants regularly inspect all POS
devices to ensure that none have been tampered with. It’s important to note
that, while POS devices do not need to be locked to an immovable object to meet
this requirement, they do need to be diligently checked for security.
Further clarifications in PCI 3.0
Much of PCI 3.0 included clarifications and further details
that built on the 2.0 update. As Chris Camejo, Director of Assessment Services
at NTT Com Security, says: “While most of the changes are simple clarifications
of previous requirements, they could have a major impact on merchants as they
touch on everything from the definition of scope and segmentation, to formally
documenting responsibilities between merchants and service providers and
controls for preventing tampering and skimming at the point-of-sale.” Here are
some of those clarifications that you need to understand and put into practice
at your company:
PCI 3.0 adds a network diagram that details the required
firewall configuration to protect cardholder data. It also adds a diagram that
shows the flow of cardholder data through the transaction process.
PCI 3.0 requires merchants to evaluate evolving malware
threats for any systems that are not commonly affected by malicious systems.
The update expanded its focus to include not only those systems that
specifically handle card data, but all business systems that could potentially
have access to such valuable data.
PCI 3.0 requires anti-virus software to be running on all
computer systems at all times. It cannot be disabled or altered by any user
unless your management team specifically authorizes doing so on a per-case
basis.
PCI 3.0 requires service providers who have remote access to
customer premises to have unique authentication credentials for each customer.
This helps to tighten up the security across multiple customers for the same
service provider.
PCI 3.0 includes new requirements to protect devices that
capture payment card data via swiping (magnetic stripe) or dipping (EMV chip)
from tampering and substitution. This prevents card data that has been
transmitted directly from a payment card from being manually altered.
Check out the summary of changes that the PCI SSC issued for
more details.
Lean on your payments processor for PCI compliance guidance
Being PCI compliant is an ongoing process. To make sure you
achieve and maintain your compliance standing, partner with a payments
processor that takes compliance seriously and will be there to support you each
step of the way. For PCI 3.0 and every other update that comes in the years
ahead, make sure you have an experienced partner that can help you understand
and meet the requirements will help your business grow and thrive, safely and
securely.
#awepay #payments #paymentservices #paymentsolution
#paymentsolutions #paymentsmadeeasy #PaymentsWithOutBorders #paymentsystem
#paymentsolutionproviders #paymentsystems #ecommerce #ecommerceinsights #event
#conference #congres #blockchain #pwa #cryptocurrency #KeshPOS #mPOS
#poweredbyinnovectives #thursdaythoughts #bitcoins #Earn #Payments #bitcoin
#binarytrade #forex #investment #wealth
Comments
Post a Comment