The Green Sheet Online Edition
January 12, 2015 • Issue 15:01:01
New Year's Eve countdown to PCI DSS 3.0
Jan. 1, 2015, marked the beginning of a new year, as well as the deadline for implementation of a new set of security standards. The PCI Security Standards Council released Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 in January 2014, and gave merchants and payment services providers one year to review and upgrade their PCI DSS 2.0-compliant systems.
The security community embraced the new standards, noting the enhanced protections for e-commerce, widely considered to be a leading point-of-entry for cyber attacks. Many security analysts emphasize that security best practices require constant vigilance that extends far beyond required scans, penetration tests and self assessment questionnaires.
Sustainable best practices are business-as-usual
Suraj Srinivas, Director of Security Consulting at ANX, a Michigan-based data security organization, sees the spirit of constant vigilance reflected in the business as usual (BAU) concept introduced in PCI DSS version 3.0.
"ANX Qualified Security Assessors [QSAs] were early adopters of this concept, having seen its success in other audit programs," Srinivas said. "The key to success for any compliance program is its sustainability. Sustainability is achieved by having a methodical process for ensuring that all the necessary preparatory steps are performed during the course of the year, easing the burden of the annual PCI assessment."
He added that a common piece of advice that ANX offers clients is to "measure twice and cut once," which is aligned with the company's overall approach. ANX supports customers' BAU initiatives with a blended approach that leverages a software-as-a-service compliance tool with the hands-on expertise of the company's QSAs. He believes the company's focus on sustainable best practices keeps compliance in the forefront as a systematic, year-round process for its customers.
Protecting the transaction life cycle
Frank Stornello, Chief Marketing and Strategy Officer for Verifi, noted that the impact of omni-channel trends on payment technology has made full life cycle transaction protection critical for best-in-class online commerce. For retailers, protecting omni-channel payments from start to finish while ensuring a seamless shopping experience requires a careful blend of pre- and post-sale security and fraud prevention.
"The landscape of payments is quickly evolving and new payment options and technologies are emerging rapidly – giving consumers many choices for payment: mobile, online, cash, credit, loyalty points and digital currencies to name a few," Stornello said. "Unfortunately, security lapses change shopper behavior. Studies show a direct correlation between a data breach and consumer confidence - threatening the merchant's ability to remain in business."
E-commerce: not one-size-fits-all
PCI DSS 3.0 guidelines categorize e-commerce merchants by matching self-assessment questionnaires (SAQs), scans and testing levels to each group's degree of exposure to cardholder data. Many security analysts believe e-commerce merchants who implement PCI 3.0 security controls will significantly mitigate the risk of cyber attacks.
Following are three distinct forms of e-commerce and their respective SAQ's:
- SAQ A merchants, as defined by the PCI SSC, are card-not-present merchants that do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises. These companies outsource credit card processing to third party service providers, and do not need to conduct penetration testing or scans. A 14 question SAQ A and Attestation of Compliance are their only requirements.
- SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.
- SAQ D, which comprises 335 questions, is the most rigorous PCI DSS 3.0 SAQ due to the increased risk of fraud by merchants and payment service providers in this category. These types of processing environments include e-commerce merchants who accept cardholder data on their websites and merchants who store electronic data.
Merchants remain first line of defense
Verifi's Stornello noted that as payments become more complex, merchants will increasingly be called upon to shoulder the "full burden of true as well as friendly fraud" as consumers increasingly rely on them to protect the integrity of their payment transactions.
"Merchants are facing confusing statements, changing compliance requirements, determined hackers, and no shortage of processing fees, multiple discount rates, and chargebacks," Stornello added. "Consumers expect merchants to protect their payments at all phases of the transaction lifecycle - even identity theft - which occurs before the payment card even enters the payment stream."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.