PCI Compliance: Preparing for Version 3.0
When version 3.0 of the Payment Card Industry Data Security Standards becomes mandatory next month, merchants may need to make some changes.
By Mark Burnette, LBMC Security & Risk Services
The Payment Card Industry Data Security Standards (PCI DSS) are always evolving. Any merchant that stores, transmits or processes data from credit cards is subject to the PCI security rules – and every one of these merchants must keep up with changes to the PCI compliance guidelines.
A major change is upon us, with Version 3.0 of the standards becoming mandatory on Jan. 1, 2015. So what do merchants need to know to prepare themselves?
Short History of PCI Version 3.0
In fact, Version 3.0 is already in effect – and has been since the beginning of 2014. On Jan. 1 of this year, the new rules went into full force, but merchants had the choice to demonstrate compliance against either Version 2.0 or 3.0 for the duration of 2014.
Once the new year arrives, however, there will be only one set of rules: Version 3.0. The new PCI compliance guidelines are not a major reinvention, but rather a clarification and a refinement, intended to help merchants keep up with evolving security threats and understand their compliance responsibilities with respect to PCI.
What, then, are the most important of these changes?
Point of Sale and PCI
Today a common form of data theft is installing overlay equipment on ATM machines to capture information from ATM users, including PIN numbers and debit card data.
Point of sale (PoS) environments such as the automatic checkouts found at gas stations, grocery stores, and retailers are similarly vulnerable. With PoS environments becoming more common, it’s important to establish and enforce effective security standards for these devices.
To this end, PCI DSS Version 3.0 introduces a brand new set of requirements. PCI control 9.9.2 calls for organizations with PoS environments to "periodically inspect devices for signs of tampering or substitution." While the rule doesn’t specify a frequency of inspection, it does require documentation of the effort.
In practical terms, this means merchants must decide on an inspection frequency – perhaps once a quarter. Then, at the determined time, they will need to physically inspect every PoS device and document what they find, recording either that they found no signs of problems or that they discovered something suspicious. Of course, if tampering is suspected, the merchant will want to respond promptly to address the situation.
PCI and Working with Third Parties
Another set of changes, Requirements 12.8.5 and 12.9, bring clarity to the process of engaging third parties in order to meet PCI compliance guidelines.
In the past, many merchants believed they could simply outsource PCI responsibilities to a vendor. The new rules make it clear that merchants cannot outsource their PCI obligation entirely – but they can engage vendors to handle elements of implementation and/or operation.
In practice, this means that when a merchant engages a vendor to provide any sort of support related to the merchant’s credit card processing environment, the two parties must document their respective responsibilities.
Furthermore, vendors must formally affirm responsibility for particular facets of their clients’ PCI compliance. This affirmation must be in writing. This way, merchants know precisely which services they receive – and both parties are clear regarding which elements of PCI compliance for which they are responsible.
PCI Requirements vs. Best Practices
For larger businesses, both of these PCI requirements will constitute a significant effort. So until July 2015, these two new rules are considered "best practices": That is, they are encouraged but not required for compliance. After July, however, they will be required.
What this means for merchants is that if you have a PCI reporting date before July of 2015, you have until your next report to implement the changes noted above. (Waiting this long is not in your best interests from a security standpoint, however.) If you have a reporting date after July, you will be required to demonstrate compliance with all of the new rules in your 2015 report.
For all merchants, it is advisable to ensure compliance as soon as practically possible. PCI compliance guidelines are best regarded not as an obligation to be checked off a list, but as a set of recommendations that can help protect both your customers and your business.
In his role as partner with LBMC Security & Risk Services, Mark Burnette directs the firm’s resources to craft security solutions that mitigate security risks in a way that is practical and relevant to the organization’s environment. He has received numerous commendations for his contributions to information security on behalf of his employers and the community at large. Most recently, the Information Systems Security Association (ISSA) named him a Fellow, one of a handful of individuals recognized for their accomplishments in information security, leadership and service to the association and profession.