PCI DSS 3.0: Key Lessons for Merchants

by Stephen Price 0

Payment security standards got an upgrade on January 1, when most of changes to the PCI’s Data Security Standards (PCI DSS) came into effect. Most of the changes are incremental, but version 3.0 of the PCI DSS—since clarified in version 3.1—still introduces demanding new requirements for merchants and payment processors.

But tough standards don’t make anyone safer if they’re never implemented. This year Verizon found that just 20% of businesses complied with all 12 PCI standards—and that was up from 11% in 2014. Payment security is the responsibility of every merchant that handles credit card data, but many merchants, especially smaller ones, aren’t getting the message.

Understanding PCI standards takes time and effort. But even if merchants aren’t in full compliance yet, there are lessons to learn from the changes in version 3.0 that can keep customers’ data safer and protect themselves in the process.

Think carefully about who has access to your systems

Under the old PCI DSS, merchants were required to list, and monitor, external service providers who held or dealt with their cardholder data. But PCI 3.0 states that merchants must also list and monitor any service provider who could affect the security of cardholder data. This change is called a “clarification,” but it’s actually a big deal, and the Target hack illustrates why.

As is well known by now, in November 2013 hackers obtained access to Target’s point of sale systems, installed malware, and stole as many as 40 million credit card numbers from the giant retailer. It’s believed that hackers compromised the credentials of an HVAC contractor from Sharpsburg, Pennsylvania, which had access to Target’s systems to monitor energy use and temperature in stores.

Did the HVAC contractor have access to cardholder data? No. But could they affect the security of cardholder data? Absolutely.

The number of Target contractors who have access to its systems is probably very large indeed. Smaller merchants have less excuse—they should have a list of who has external access to their computer systems. They should ask: what can be accessed, and why? Is that access necessary? Is it secure?

Get clarity on who is responsible for each aspect of payment security

Merchants, especially small ones, often rely on outside expertise for payment security, which makes sense. But under PCI DSS 3.0, merchants must have a document that sets out, for each PCI requirement, whether it’s being managed by an external service provider, or whether it’s being managed by the merchant.

In short: clear lines of responsibility are vital. If merchants don’t know who is responsible for complying with each and every PCI standard, they’re not in compliance.

The new standard also serves as a reminder to communicate needs and expectations to external service providers. If merchants are relying on service providers to protect customers’ credit card data, merchants should make very clear that that’s what’s happening.

Take measures to stop physical tampering

With hacking constantly in the news, it’s easy to forget (relatively) old-fashioned ways of stealing customer data. Yet a spate of skimmers being discovered on gas station card readers and ATMs reminds us that physical security still matters.

PCI DSS 3.0 addresses this problem by requiring that physical devices such as credit card readers are kept secure from skimming or other forms of tampering. From July 1, 2015, merchants must take an inventory of card-reading devices, and check them consistently for signs of tampering. Employees must also be trained to identify and report suspicious behavior around these devices.

Fortunately, a few simple measures can help with physical security: