Tuesday, May 26, 2015
"PCI, EMV, point-to-point encryption – all of these things have to be done together," said Don Brooks, Senior Security Engineer at security services company Trustwave. These days EMV (short for Europay, MasterCard and Visa, the technical standard for chip cards and chip-reading terminals) is garnering much attention, with its looming October 2015 deadline for compliance.
However, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS, or often just PCI) is mandatory beginning June 30. Acquirers and their partners should be working now to ensure merchants are and remain compliant with PCI 3.0, Brooks advised in an interview with The Green Sheet. "Ultimately it all comes down to the acquirer and the ISO making sure merchants are doing the right thing," he said.
PCI 3.0, released in 2014, updates the standard, which was previously updated in 2011. The effective date was January 1, 2015, but mandatory compliance was delayed for six months to provide companies sufficient time to complete implementation routines. PCI requirements apply to all organizations that accept, process, store or transmit payment card data – from the largest national acquirers to the smallest merchants.
The scope of PCI 3.0 is much broader than past versions, placing greater responsibility on merchants for protecting the integrity of POS devices, networks and authentication protocols, as well as for oversight of third-party service providers. "The changes focus on responding to what the bad guys are doing," Brooks said.
Over the past few years, for example, hundreds (possibly thousands) of malware-infected POS devices have been the source of major card-data breaches. So PCI 3.0 specifically requires that merchants keep tabs on and regularly inspect POS devices for tampering and substitution, and that they train employees to be on the lookout for signs of device tampering.
Also, as PCI compliance requirements have expanded, more merchants are outsourcing risk management and PCI compliance routines. It's an understandable step – even the simplest self-assessment forms are pages long – but it comes with its own set of responsibilities. Under PCI 3.0, for example, merchants need to validate authentication routines used by third-parties and ensure they use unique authentication credentials for each customer. They also must require that third-party providers acknowledge in writing their responsibilities concerning cardholder data.
Security breaches are a major source of concern for organizations large and small. Indeed, few companies seem immune. A survey of 9,700 businesses by the consultancy PricewaterhouseCoopers (PwC) revealed those companies alone detected nearly 43 million "security incidents" last year. Incidents are not breaches, but they can lead to breaches. PwC estimated (based on its data) that security incidents have been increasing at a compound annual rate of 66 percent since 2009, when there were fewer than 9 million incidents.
Worse, many companies remain unaware of their responsibilities for protecting card data. Software Advice, a unit of the consultancy Gartner Inc., surveyed small and midsize businesses on PCI 3.0 in December 2014 and found nearly one in five did not even know what PCI was; 30 percent did not know the penalties for noncompliance. Just 38 percent said they were "very confident" they would be compliant with the updated PCI rules; fewer yet, 16 percent, expressed confidence in their understanding of the new rules regarding third-party provider oversight.
Meanwhile, Verizon Communications Inc., which operates a unit focused on card data security and PCI compliance, reported that although overall compliance with PCI continues to improve, few organizations are able to sustain compliance over the long term.
The Verizon 2015 PCI Compliance Report analyzes the outcomes of nearly 3,000 PCI assessments conducted by its Qualified Security Assessors last year, as well as forensic investigation reports produced by the company's security unit. It revealed that between 2013 and 2014, compliance with 11 of the 12 PCI requirements was up, with the biggest increase in compliance witnessed in procedures for authenticating network access. The only area where compliance was lower was with testing security systems. In fact, most of the lowest compliance scores involved testing procedures, the report noted.
"Compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to improve, but four out of five companies still fail at interim assessment," the Verizon report stated. "This indicates that they've failed to sustain the security controls they put in place."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
