Security
PCI Compliance Changes | Storm Internet
Version 3.0 of PCI Data Security Standard has been in effect since 2015 but many merchants who process credit card payments are still confused about what the changes are and how exactly they affect your business. In this article I will explain what changes you really need to pay attention to and how they will affect your business.
The majority of the changes to PCI DSS are clarifications of requirements that were already being fulfilled but they do have an impact on everything from control for tampering, to formally documenting the responsibilities of both merchants and service providers as well as a host of other effects for any business that processes credit card payments online.
There are 3 Major Issues that you need to concern yourself with if you run a business online that takes credit card payments, they are:
- The definition of scope
- Segmentation
- New merchant and provider requirements
- Tampering with point of sale devices
Let’s start with issue # 1: The definition of scope
One of the more complicated issues related to PCI compliance is the definition of scope. There are now over 200 sub requirements in PCI DSS, many of which are not known by most business owners. The days of being able to simply run a vulnerability scan are over.
Because of information sharing and the fact that most businesses use what’s known as a “flat network” with only the connection to the internet connection is protected by a firewall and every server can communicate without additional layers of security between them, hackers can gain access to credit card information without even directly attacking the system that credit cards are processed through. This means an enterprising hacker can simply find the path of least resistance into the system and then gain access to the credit card information from within. Similar to the scene in horror movies where the babysitter realizes that the call is coming from within the house!
Because of this loophole in the system, PCI DSS compliance is required on all systems including those that actually deal with credit card information and their security systems.
Let’s now move on to issue # 2: Segmentation.
One of the proposed solutions encouraged by PCI is segmentation of netowrks using firewalls to keep the systems that deal with credit card information separate from the other servers, and parts of the network. As of July of last year, version 3.0 of PCI requires an annual penetration test to make sure that the chosen methods of segmentation are both “operational and effective.” Take a moment after reading this article to check you own segmentation to make sure it is effective and not just providing a false sense of security.
Another issue that you need to pay attention to if you’re a business owner who takes payments online is # 3: New merchant and provider requirements.
The new adjustments to the PCI also affect any third-party that comes into contact with or could otherwise compromise the security of data on behalf of the merchant. This could be anything from a service provider that works on your firewall, a support center or even your online cloud service provider.
Merchant/Provider agreements were in the news during the most recent breach of Target’s customer data which is believed to have started from a cyber break in of a HVAC contractor.
PCI DSS 3.0 has created new requirements to make responsibility clearer both before and after a potential attack. There is now formal documentation required to explain who is responsible for which PCI requirements, and as of July of 2015 all service providers are required to acknowledge responsibility for PCI compliance.
The last issue I want to address in this article # 4: tampering with point of sale devices.
Tampering is a major problem at places as diverse as gas station pumps and ATM machines. Often times thieves will place skimmers, or hidden cameras under these point of sale devices and steal information as well as potentially gaining access to the system. As of July 2015 there is a new PCI requirement which states that all devices much be regularly checked for signs of tampering.
While it would be almost impossible to detail all of the changes that have occurred due to PCI DSS 3.0, in this article I have outlined and discussed the 4 most important changes that you need to be aware of. While PCI DSS 3.0 went into effect on January 1st 2015, there were a lot of requirements including several of the ones mentioned in this article which did not go into effect until over 6 months later in July.
Now that I have refreshed your memory on the updated requirements of PCI DSS 3.0 you should check to make sure that your business and all of it’s subcontractors and service providers are in full compliance.
If you’d like further information on how Storm Internet can help you with PCI Compliance, get in touch with us by clicking here. Or call us on 0800 817 4727
Speak with a Storm Expert
Please leave us your details and we'll be in touch shortly
A Trusted Partner