Walk into any major brand’s retail outlet, small and medium retail store, a high-end hotel or a small wayside restaurant today and you would not be surprised if they cater for a card payment system for payment for goods and services rendered. The advent of the payment card industry (PCI) denoted by debit, credit, prepaid, e-purse, ATM, POS cards and associated businesses, is bound by the Payment Card Industry Data Security Standards (PCI DSS). The lack of education and awareness around payment security systems and poor implementation and maintenance of PCI standards leads to security breaches and card holder data continue to be a target for criminals.
While new versions of the PCI DSS are introduced, these are done after a feedback from the industry regarding methods to improve the payment security, global applicability as well as cost and benefit of any changes in infrastructure. Changes in PCI Standards framework reflect the growing maturity of the payment security industry and its strength in protecting card holder data. Even as the version 3 of PCI DSS introduces changes than its previous versions, the core 12 security areas remain the same. Nevertheless, in a business environment that provides cyber attackers number of loopholes, enterprises are challenged to ensure protection of card holder data.
Since the PCI DSS applies to all stakeholders involved in payment card processing, PCI-DSS compliance management is a sensitive affair. Across industries, inconsistent encryption and malicious hackers accessing the credit card data resulted in huge financial losses and brand-image exposure! Though enterprises were compliant to Sarbanes-Oxley and HIPAA Act, their controls were not adequate to meet the PCI DSS requirements. Enterprises therefore took advantage of automated processes for monitoring of security vulnerabilities, mapping security controls and initiating re-mediation actions to help business enterprises meet compliance requirements.
However, even as PCI DSS 3.0 moves towards its implementation stages, not all merchants are completely aware of the three critical changes and their need in the payment card processing system. The version 3 of the security standards includes changes from the previous version which are nothing but simple clarifications on the scope and segmentation, responsibilities of merchants and service providers. While this will greatly impact the merchants, this will also prevent tampering and skimming at any point of sale. Even as enterprises conduct vulnerability scans on handful of credit cards and debit cards, as per the version 3 of PCI DSS, compliance is required across all systems that handle card data, unrelated systems connected to the same network as well as authentication servers, firewalls and web redirection servers.
Further, even as PCI encourages network segmentation through the use of firewalls, the new version 3 expects enterprises to make use of network penetration tests that will help validate the segmentation methods as operational and effective by July 2015. After the aftermath of target point-of-sale breach, the PCI DSS version 3 requires both merchants and service providers to formally document the responsibility of PCI requirements. Moreover with rising cases of tampering with physical-point-of-sales devices, the new PCI requirement (9.9) calls for an inventory of devices and regular inspections to detect tampering. Hence, effective the January 2015 deadline, merchants need to understand the scope and segmentation required for PCI DSS compliance and work with service providers to define responsibilities and potentially alter contracts, and implement controls for preventing tampering and skimming of the point-of-sale devices. The January 2015 deadline for assessing version 3.0 is around the corner although some of these requirements do not go into effect until July 2015. The PCI DSS requirements will be validated during the first SAQ or QSA assessment in 2015. It is best to start addressing the necessary changes immediately.
In summary, in PCI DSS v3.0 three critical changes include the scope definition and segmentation, service providers’ responsibilities and the need to alter contracts, and controls to be implemented for preventing tampering and skimming at the point-of-sale devices.
Aegify SecureGRC now has in suite of ready-to-use compliance frameworks, the latest PCI DSS V 3.0 controls for checking the compliance status of merchants quickly and easily taking away the complexities of the controls mandated for compliance for the merchants and their service providers. Get to quickly know how compliant you are to the PCI DSS v3.0 by running the Aegify SecureGRC from the cloud.