Friday, December 26, 2014
When the ball drops at 12 a.m. on Jan. 1, 2015, it will mark the beginning of a new year, as well as the deadline for implementation of a new set of security standards. The PCI Security Standards Council released Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 in January 2014, and gave merchants and payment services providers one year to review and upgrade their PCI DSS 2.0-compliant systems.
The security community embraced the new standards, noting the enhanced protections for e-commerce, widely considered to be a leading point-of-entry for cyber attacks. Many security analysts emphasize that security best practice requires constant vigilance that extends far beyond required scans, penetration tests and self assessment questionnaires.
Suraj Srinivas, Director of Security Consulting at ANX, a Michigan-based data security organization, sees the spirit of constant vigilance reflected in the business as usual (BAU) concept introduced in PCI DSS version 3.0.
"ANX Qualified Security Assessors (QSAs) were early adopters of this concept, having seen its success in other audit program," Srinivas said. "The key to success for any compliance program is its sustainability. Sustainability is achieved by having a methodical process for ensuring that all the necessary preparatory steps are performed during the course of the year, easing the burden of the annual PCI assessment."
He added that a common piece of advice that ANX offers clients is to "measure twice and cut once," which is aligned with the company's overall approach. ANX supports customers' BAU initiatives with a blended approach that leverages a software-as-a-service compliance tool with the hands-on expertise of the company's QSAs. He believes the company's focus on sustainable best practices keeps compliance in the forefront as a systematic, year-round process for its customers.
Frank Stornello, Chief Marketing and Strategy Officer for Verifi, noted that the impact of omni-channel trends on payment technology has made full life cycle transaction protection critical for best-in-class online commerce. For retailers, protecting omni-channel payments from start to finish while ensuring a seamless shopping experience requires a careful blend of pre- and post-sale security and fraud prevention.
"The landscape of payments is quickly evolving and new payment options and technologies are emerging rapidly – giving consumers many choices for payment: mobile, online, cash, credit, loyalty points and digital currencies to name a few," Stornello said. "Unfortunately, security lapses change shopper behavior. Studies show a direct correlation between a data breach and consumer confidence - threatening the merchant's ability to remain in business."
PCI DSS 3.0 guidelines categorize e-commerce merchants by matching self-assessment questionnaires (SAQs), scans and testing levels to each group's degree of exposure to cardholder data. Many security analysts believe e-commerce merchants who implement PCI 3.0 security controls will significantly mitigate the risk of cyber attacks.
Following are three distinct forms of e-commerce and their respective SAQ's:
Verifi's Stornello noted that as payments become more complex, merchants will increasingly be called upon to shoulder the "full burden of true as well as friendly fraud" as consumers increasingly rely on them to protect the integrity of their payment transactions.
"Merchants are facing confusing statements, changing compliance requirements, determined hackers, and no shortage of processing fees, multiple discount rates, and chargebacks," Stornello added. "Consumers expect merchants to protect their payments at all phases of the transaction lifecycle - even identity theft - which occurs before the payment card even enters the payment stream."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.