Digging into PCI 3.0: What shared responsibility means for your business
Adhering to the PCI (Payment Card Industry) standards for protecting card data is everyone’s business. If you process, store or transmit card data, you have to abide by these standards. In 2015, the 3.0 version of the guidelines was released with some important updates. The PCI Security Standards Council published the update as a result of shifting needs in the payments industry and as a response to current market needs in the following areas:
- Lack of education and awareness
- Weak passwords and authentications by merchants and service providers
- Third-party security challenges
- Slow self-detection and malware
- Inconsistency in assessments
PCI 3.0 requirements became effective in January 2015 and July 2015 (depending on the specific requirements), but some merchants are still unclear on what they mean for their business. Don’t risk being in the dark on compliance requirements and leave your business vulnerable to a data breach. Let’s review what these updates mean for merchants.
What PCI 3.0 means for you and your business processes
It’s critical that you understand the ramifications of PCI 3.0 so you can ensure your business is compliant. The main aspects of the PCI 3.0 updates can be broken down into the following four categories:
- Increased awareness and education. PCI 3.0 provides recommendations for best practices for implementation and encourages merchants to hold stricter training and education for their staff. PCI 3.0 stresses the importance for merchants to require their staff regularly update passwords and complete awareness training.
- Greater flexibility. PCI 3.0 allows for merchants to better understand the specific underpinnings of each of the PCI requirements, and allows for some flexibility to meet the requirements. Some solutions even have multiple options that allow merchants to achieve the same level of compliance in a variety of ways.
- Security as a shared responsibility. Shared responsibility has to do with the fact that multiple departments or entities may be responsible for the security of various aspects of your business systems or networks. PCI 3.0 more clearly defined where responsibility lies in these situations, so it takes away some of the guesswork for merchants. They’ve also provided a Third-Party Security Assurance Information Supplement to help you and your service providers more clearly understand your roles in achieving and maintaining compliance.
- Monitor controls continuously. PCI 3.0 reiterates the importance of merchants regularly monitoring and testing their networks and systems for any issues or failures. The new 3.0 version requirement 11.3.4 requires annual penetration tests to validate that their network segmentation methods are operational and effective. Another aspect of PCI 3.0 is requirement 9.9, which calls for merchants to regularly inventory and inspect all physical POS devices so that any tampering can be detected and corrected. In the past, hackers physically tampering with POS devices has been a vulnerability for gaining access to systems containing sensitive data. If you take PCI compliance seriously, then you already know that ongoing maintenance is critical—this aspect of PCI 3.0 simply reinforces that point.
Digging into shared responsibility
The concept of “shared responsibility” is so important to PCI compliance because different entities may be responsible for securing different parts of your systems and networks. This comes into play especially in the event of a breach, when one party may blame another for the weakness that was infiltrated by hackers.
To address the “finger pointing” that can occur in the aftermath of a breach, PCI 3.0 includes new requirements for both merchants and their service providers. Requirement 12.8.5 says that merchants and service providers are both required to formally document who is responsible for which PCI requirements. Requirement 12.9 says that service providers must acknowledge their responsibility for PCI compliance.
Working to combat physical tampering
Data thieves that physically tamper with POS devices have been a concern—and the cause of several major data breaches—in the past. Hackers can easily place skimming devices or hidden cameras on gas station pumps and ATM machines, but they can also tamper with counter top POS terminals with PIN pads. PCI 3.0 requires that merchants regularly inspect all POS devices to ensure that none have been tampered with. It’s important to note that, while POS devices do not need to be locked to an immovable object to meet this requirement, they do need to be diligently checked for security.
Further clarifications in PCI 3.0
Much of PCI 3.0 included clarifications and further details that built on the 2.0 update. As Chris Camejo, Director of Assessment Services at NTT Com Security, says: “While most of the changes are simple clarifications of previous requirements, they could have a major impact on merchants as they touch on everything from the definition of scope and segmentation, to formally documenting responsibilities between merchants and service providers and controls for preventing tampering and skimming at the point-of-sale.” Here are some of those clarifications that you need to understand and put into practice at your company:
- PCI 3.0 adds a network diagram that details the required firewall configuration to protect cardholder data. It also adds a diagram that shows the flow of cardholder data through the transaction process.
- PCI 3.0 requires merchants to evaluate evolving malware threats for any systems that are not commonly affected by malicious systems. The update expanded its focus to include not only those systems that specifically handle card data, but all business systems that could potentially have access to such valuable data.
- PCI 3.0 requires anti-virus software to be running on all computer systems at all times. It cannot be disabled or altered by any user unless your management team specifically authorizes doing so on a per-case basis.
- PCI 3.0 requires service providers who have remote access to customer premises to have unique authentication credentials for each customer. This helps to tighten up the security across multiple customers for the same service provider.
- PCI 3.0 includes new requirements to protect devices that capture payment card data via swiping (magnetic stripe) or dipping (EMV chip) from tampering and substitution. This prevents card data that has been transmitted directly from a payment card from being manually altered.
Check out the summary of changes that the PCI SSC issued for more details.
Lean on your payments processor for PCI compliance guidance
Being PCI compliant is an ongoing process. To make sure you achieve and maintain your compliance standing, partner with a payments processor that takes compliance seriously and will be there to support you each step of the way. For PCI 3.0 and every other update that comes in the years ahead, make sure you have an experienced partner that can help you understand and meet the requirements will help your business grow and thrive, safely and securely.