GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Proximity payments mash-up: NFC, QR, BLE, MST

News

Industry Update

Threat indices rise as 'fullz' rush in to IRS site

Ready or not, PCI 3.0 is here

Small change for small issuers in Target-MasterCard settlement

Second Sally Beauty breach a 'wake-up call'

Trade Association News: MWAA revisits heart of Chicago

Features

NFC game changer for retailers and marketers

The Mobile Buzz: Six mobile engagement strategies

Views

Insider's report on payments: Going cashless sounds like nonsense

Patti Murphy
Proscribes Inc.

Valuation impact of EMV on merchant acquiring assets

Scott Calliham and Janinne Dall'Orto
First Annapolis Consulting

Education

Street SmartsSM:
Controversial questions and answers - Part 2

Jeffrey I. Shavitz
Affinity Solutions Inc.

EMV liability shift catching SMBs unaware

Chris O'Donnell
Instabill Corp.

Don't gamble with your business

Kevin Mendizabal
Frates Insurance and Risk Management

Using emotion to your advantage

Jeff Fortney
Clearent LLC

Infographic: 2015 U.S. EMV liability shift

Company Profile

Conformance Technologies

CardConnect

New Products

EMV merchant preparedness, prepackaged and just-in-time

EMV Marketing-in-a-Box for POS
Strategic Marketing LLC

Turnkey, white label hospitality platform

Residualfy
Residualfy Inc.

Inspiration

Mad men and women of business - Part 1

Departments

Readers Speak

Boost Your Biz: Who cares?

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

June 08, 2015  •  Issue 15:06:01

previous next

Ready or not, PCI 3.0 is here

The deadline for PCI 3.0 mandatory compliance is fast approaching. If you and your merchants are compliant that's good news. The bad news: the odds are against ongoing compliance. That's why card data security needs to be a multifaceted undertaking.

"PCI, EMV, point-to-point encryption – all of these things have to be done together," said Don Brooks, Senior Security Engineer at security services company Trustwave. These days EMV (short for Europay, MasterCard and Visa, the technical standard for chip cards and chip-reading terminals) is garnering much attention, with its looming October 2015 deadline for compliance.

However, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS, or often just PCI) is mandatory beginning June 30. Acquirers and their partners should be working now to ensure merchants are and remain compliant with PCI 3.0, Brooks advised in an interview with The Green Sheet. "Ultimately it all comes down to the acquirer and the ISO making sure merchants are doing the right thing," he said.

PCI 3.0, released in 2014, updates the standard, which was previously updated in 2011. The effective date was January 1, 2015, but mandatory compliance was delayed for six months to provide companies sufficient time to complete implementation routines.

More hands-on approach

The scope of PCI 3.0 is much broader than past versions, placing greater responsibility on merchants for protecting the integrity of POS devices, networks and authentication protocols, as well as for oversight of third-party service providers. "The changes focus on responding to what the bad guys are doing," Brooks said.

Over the past few years, for example, hundreds (possibly thousands) of malware-infected POS devices have been the source of major card-data breaches. So PCI 3.0 specifically requires that merchants keep tabs on and regularly inspect POS devices for tampering and substitution, and that they train employees to be on the lookout for signs of device tampering.

Also, as PCI compliance requirements have expanded, more merchants are outsourcing risk management and PCI compliance routines. It's an understandable step – even the simplest self-assessment forms are pages long – but it comes with its own set of responsibilities. Under PCI 3.0, for example, merchants need to validate authentication routines used by third-parties and ensure they use unique authentication credentials for each customer. They also must require that third-party providers acknowledge in writing their responsibilities concerning cardholder data.

Compliance improves, or does it?

Security breaches are a major source of concern for organizations large and small. Indeed, few companies seem immune. A survey of 9,700 businesses by the consultancy PricewaterhouseCoopers (PwC) revealed those companies alone detected nearly 43 million "security incidents" last year. Incidents are not breaches, but they can lead to breaches. PwC estimated (based on its data) that security incidents have been increasing at a compound annual rate of 66 percent since 2009, when there were fewer than 9 million incidents.

Worse, many companies remain unaware of their responsibilities for protecting card data. Software Advice, a unit of the consultancy Gartner Inc., surveyed small and midsize businesses on PCI 3.0 in December 2014 and found nearly one in five did not even know what PCI was; 30 percent did not know the penalties for noncompliance. Just 38 percent said they were "very confident" they would be compliant with the updated PCI rules; fewer yet, 16 percent, expressed confidence in their understanding of the new rules regarding third-party provider oversight.

Meanwhile, Verizon Communications Inc., which operates a unit focused on card data security and PCI compliance, issued the Verizon 2015 PCI Compliance Report. The study revealed that between 2013 and 2014, compliance with 11 of the 12 PCI requirements was up. The biggest increase was in procedures for authenticating network access; most of the lowest scores involved testing procedures, the report noted.

"Compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to improve, but four out of five companies still fail at interim assessment," the Verizon report stated. "This indicates that they've failed to sustain the security controls they put in place."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems