Why Payment Card Security Must Be an Everyday Business Practice
In our previous post, we explained that 2015 is being dubbed the “year of mobile payments,” as more and more retailers begin to accept smartphone-based payment options. 2014 has been given a less-auspicious name: the “year of the data breach.” Hundreds of millions of credit card numbers were stolen last year, affecting as many as 60 percent of American consumers.
Preventing 2015 from being a repeat (or worse) requires a new approach to credit card security. That is the aim of version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS). The latest set of security compliance requirements for organizations that accept credit and debit card payments, PCI 3.0 went into effect on January 1, 2014, and became mandatory on January 1st of this year.
PCI 3.0 represents a significant update of the standard. While version 2.0 contained only two different requirements compared to version 1.2.1, version 3.0 has 20 different requirements compared to version 2.0. Most of the changes involve clarification of existing requirements as opposed to new ones, but there is also change in mindset.
The central message conveyed by the new standard is that payment security must be an everyday business process, a shared responsibility across the entire organization to protect cardholder data. In many cases, organizations have been putting compliance on the back burner until it needs to be assessed and validated. Moving forward, the PCI SSC expects payment security to become a business-as-usual discipline. As part of this shift in approach, organizations will be required to self-validate their own processes, services and technology to identify and correct compliance issues.
PCI 3.0 also includes best practices for ensuring PCI-DSS compliance on a regular basis. These best practices include:
- Ongoing monitoring of security software and protocols to make sure they’re operating properly.
- Implementing processes to quickly detect and address security control failures.
- Evaluating how planned modifications to the environment, such as changing system and network configurations or adding new systems, will affect the PCI-DSS scope, and then adjusting security controls accordingly.
- Determining how mergers, acquisitions and other organizational changes affect the PCI-DSS scope and whether or not existing technology will be supported by their vendors.
- Assigning and separating responsibilities for security and operations to ensure a system of checks and balances.
The updates in PCI 3.0 are intended to shine a new light on the importance of cardholder data security and safety throughout organizations. They require that merchants follow best practices that ensure consumer trust in the payment card system.
For example, vendors will now be required to use separate passwords for each customer environment. This rule comes the result of a security breach in which a hacker gained access into a single account and used the same password to infiltrate every other account for that particular vendor. While modern threats receive the most attention, this case shows the need to address the basic best practices, which can be accomplished in part by increasing awareness and education.
In our next post, we’ll discuss in greater detail some of the specific requirements of PCI 3.0 from a technology perspective.