What PCI DSS 3.0 Means for Your Business
Does your business take credit or debit cards? Do you run an e-commerce website? Do you shop on websites using a credit or payment card? If you answered yes to any of these questions, you should be well acquainted with the Payment Card Industry Data Security Standard. It is designed primarily to help reduce credit card fraud by ensuring that companies that process or store card information are regularly audited for compliance.
It is important to know that formal PCI DSS validation is required. According to the FAQs within the PCI Compliance Guide, "All merchants, small or large, need to be PCI compliant." The level of compliance, however, depends on a variety of items, including the number of transactions processed by the merchant. Even if your company uses a third party to process credit cards, you must be PCI compliant:
Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
With data breaches occurring right and left, both online and in brick-and-mortar establishments, going through PCI DSS validation will actually ensure that your financial infrastructure is more robust and secure. In the event of a breach, if your company has not gone through the appropriate compliance or has not used the right compliance standard, you could face additional fines and penalties.
Data breaches are actually pretty common. Typically, you only hear about the major ones. Smaller breaches of nonfinancial data happen. Depending on the state, if a breach takes place and PII (personally identifiable information) is leaked or exposed, the company hosting the data must disclose the breach within a fairly short time frame. If financial information is exposed, the urgency increases.
PCI DSS 3.0 Evolves to Meet Modern Threats
The frequency of breaches is increasing. Businesses should be wary of this and work to improve the security and procedures within their organizations to thwart issues.
This is where PCI DSS is important; not only that — it’s why the recently adopted PCI 3.0 standard shines above previous versions. Also, the updating of standards has moved from every two years to every three years in order to provide "a longer period to gather feedback and more time for organizations to implement changes before a new version is released," according to the Version 3.0 Change Highlights document published by PCI Security Standards Council, the governing body of the PCI DSS.
The original 12 PCI DSS requirements broken are into six control objectives:
You should consider implementing many of the items on this list, regardless of whether you are storing, processing or transmitting payment or credit card information. Maintaining an active and strong firewall can prevent attacks and breaches within your infrastructure. Having stronger, nonstandard passwords is something that all organizations should implement, whether the web environment is public-facing or private. Patching and regularly updating your servers means that they will be more secure in the process.
Several of the above requirements are specific to cardholder information. You should consider implementing these requirements for PII in general, even if that Information does not contain credit card or payment information; the security of passwords or Social Security numbers is just as important in the effort to prevent identity theft.
According to an infographic produced by the PCI Security Standards Council:
- 63 percent of investigations identifying a security deficiency easily exploited by hackers revealed a third party responsible for system support, development, or maintenance.
- Either because of lack of education or policy enforcement, employees leave the door open for attacks by picking weak passwords, clicking on phishing links, or sharing company information on social and public platforms.
- Employees directly involved in the payment chain—like cashiers, waiters, and bank tellers—are most often responsible for internal breaches
So when does your business have to comply with the new 3.0 standards? The updated standards became effective on January 1, 2014, so if you need to validate your compliance, you should start working on it now. However, because the transition may take time to implement, version 2.0 will remain active until December 31, 2014.
What’s New in PCI DSS 3.0?
According to TechTarget's SearchSecurity, the most important changes from 2.0 to 3.0 have more to do with supplemental and clarification-related items than with new requirements. There are five areas that TechTarget specifically calls out as important:
- Penetration Testing: Companies must now follow an "industry-accepted penetration methodology," which means that smaller businesses may not have adequately trained staff to do this testing and may be forced to get outside help to conduct the testing.
- Inventorying System Components: Companies must now maintain an inventory of hardware and software (including a “description of function/use for each”) that is used in cardholder data retention. This could be complex for some organizations because the reasons for components and how they are used must be kept current.
- Vendor Relationships: Companies must now fully document what vendors are using with cardholder data information and must maintain a document on each vendor's compliance status.
- Antimalware: Companies must be ready to evaluate and act upon evolving malware threats, and any disabling of antimalware systems must now have a fully documented protocol, with time limits on how long these systems can be disabled.
- Physical Access and Point-of-Sale (PoS): Restrictions of PoS devices and the servers that store cardholder data have been around for a long time, but the restrictions are getting tighter because merchants need to prevent PoS devices from being tampered with or replaced. This isn't new, but with "periodic inspecting" possibilities, some companies may be in for a surprise.
The best thing to do when evaluating your company's PCI DSS 3.0 compliance and preparing to go through the validation process is to get some help. Larger companies may be accustomed to doing the compliance process and have a team in place to do so, but smaller merchants may require help from a third party whose business is PCI DSS.
Don't take these new standards lightly. They will not only protect your customers' privacy and security but also potentially limit your liability if a breach takes place within your server environment.