What Merchants Need to Know about PCI 3.0
In our previous post, we discussed the Payment Card Industry (PCI) Security Standards Council (SSC) latest update to the PCI Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) – also known as PCI 3.0. The main driver behind PCI 3.0 is a desire to make payment security a business-as-usual activity and shared responsibility across entire organizations rather than an annual compliance report.
This shift in thinking is driven by the lack of PCI compliance among merchants. According to a Tripwire survey, only 41 percent of retail companies are using penetration testing to pinpoint security vulnerabilities and just 44 percent have implemented a process for file integrity monitoring.
While the PCI-SSC has provided a summary of changes and evolving requirements in PCI 3.0, there are certain updates to the standard that are likely to have the greatest impact on merchants.
Stricter Penetration Testing Mandates. An ongoing concern has been whether cardholder data is adequately segmented from other networks, which is why organizations must conduct penetration tests and vulnerability assessments to determine if a security breach is possible. With PCI 3.0, penetration testing must now follow an industry-accepted methodology.
Those organizations that don’t have in-house personnel with the expertise to conduct such a test will need to hire a service provider who adheres to a formalized methodology that validates segmentation.
System Components Inventories. System components include any hardware or software used in the cardholder data environment. Merchants must maintain an inventory of system components and explain what each piece of technology does and for what purpose. Organizations that have many locations and those that utilize virtualization may struggle to manage the inventory of these ever-changing system components.
Increased PoS System Inspections and Access Controls. Point-of-Sale (PoS) devices that capture cardholder data must be inventoried and periodically inspected to ensure they haven’t been altered or replaced by different devices. Because card skimming is a prevalent problem, employees must be able to identify signs of tampering or suspicious behavior, which is likely to require additional security training for anyone who works at the point of sale. Physical access to PoS by employees must be controlled and authorized by the merchant, and if an employee leaves, access must be revoked immediately.
Additional Service Provider and Vendor Requirements. In addition to using unique authentication credentials for each customer environment, PCI 3.0 requires service providers to provide comprehensive written details of compliance-related services, roles and responsibilities. For example, service providers are required to take responsibility for cardholder data that they possess. Documentation should clarify which PCI compliance requirements are the responsibility of the merchant and which are the responsibility of the vendor or service provider. Agreeing to the scope of each party’s responsibilities in writing will add accountability and avoid confusion during compliance assessments.
Stronger Antimalware Systems. Previously, antimalware systems needed to be working, remain current and produce report logs. Under PCI 3.0, merchants are required to “identify and evaluate evolving malware threats” and have a process in place that alerts the organization of new malware. The antimalware system must also be configured to prevent users from disabling or altering the system without authorization from management.
ICG understands the latest PCI compliance requirements and can help you make cardholder data protection part of your everyday business processes.