The Green Sheet Online Edition
June 08, 2015 • Issue 15:06:01
Ready or not, PCI 3.0 is here
The deadline for PCI 3.0 mandatory compliance is fast approaching. If you and your merchants are compliant that's good news. The bad news: the odds are against ongoing compliance. That's why card data security needs to be a multifaceted undertaking.
"PCI, EMV, point-to-point encryption – all of these things have to be done together," said Don Brooks, Senior Security Engineer at security services company Trustwave. These days EMV (short for Europay, MasterCard and Visa, the technical standard for chip cards and chip-reading terminals) is garnering much attention, with its looming October 2015 deadline for compliance.
However, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS, or often just PCI) is mandatory beginning June 30. Acquirers and their partners should be working now to ensure merchants are and remain compliant with PCI 3.0, Brooks advised in an interview with The Green Sheet. "Ultimately it all comes down to the acquirer and the ISO making sure merchants are doing the right thing," he said.
PCI 3.0, released in 2014, updates the standard, which was previously updated in 2011. The effective date was January 1, 2015, but mandatory compliance was delayed for six months to provide companies sufficient time to complete implementation routines.
More hands-on approach
The scope of PCI 3.0 is much broader than past versions, placing greater responsibility on merchants for protecting the integrity of POS devices, networks and authentication protocols, as well as for oversight of third-party service providers. "The changes focus on responding to what the bad guys are doing," Brooks said.
Over the past few years, for example, hundreds (possibly thousands) of malware-infected POS devices have been the source of major card-data breaches. So PCI 3.0 specifically requires that merchants keep tabs on and regularly inspect POS devices for tampering and substitution, and that they train employees to be on the lookout for signs of device tampering.
Also, as PCI compliance requirements have expanded, more merchants are outsourcing risk management and PCI compliance routines. It's an understandable step – even the simplest self-assessment forms are pages long – but it comes with its own set of responsibilities. Under PCI 3.0, for example, merchants need to validate authentication routines used by third-parties and ensure they use unique authentication credentials for each customer. They also must require that third-party providers acknowledge in writing their responsibilities concerning cardholder data.
Compliance improves, or does it?
Security breaches are a major source of concern for organizations large and small. Indeed, few companies seem immune. A survey of 9,700 businesses by the consultancy PricewaterhouseCoopers (PwC) revealed those companies alone detected nearly 43 million "security incidents" last year. Incidents are not breaches, but they can lead to breaches. PwC estimated (based on its data) that security incidents have been increasing at a compound annual rate of 66 percent since 2009, when there were fewer than 9 million incidents.
Worse, many companies remain unaware of their responsibilities for protecting card data. Software Advice, a unit of the consultancy Gartner Inc., surveyed small and midsize businesses on PCI 3.0 in December 2014 and found nearly one in five did not even know what PCI was; 30 percent did not know the penalties for noncompliance. Just 38 percent said they were "very confident" they would be compliant with the updated PCI rules; fewer yet, 16 percent, expressed confidence in their understanding of the new rules regarding third-party provider oversight.
Meanwhile, Verizon Communications Inc., which operates a unit focused on card data security and PCI compliance, issued the Verizon 2015 PCI Compliance Report. The study revealed that between 2013 and 2014, compliance with 11 of the 12 PCI requirements was up. The biggest increase was in procedures for authenticating network access; most of the lowest scores involved testing procedures, the report noted.
"Compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to improve, but four out of five companies still fail at interim assessment," the Verizon report stated. "This indicates that they've failed to sustain the security controls they put in place."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.