Released today, the updated standards make security more of an everyday affair, expert says.
The payment card industry today introduced version 3.0 of its data security standard, requiring online merchants and other companies to take a more thorough approach to protecting payment card account data stored and transmitted through computer networks.
The standard, a set of rules known as the Payment Card Industry Data Security Standard, or PCI DSS, was published in its new version today by the PCI Security Standards Council and is available for review on the council’s web site, PCISecurityStandards.org. The council, which was founded by payment card companies Visa Inc., MasterCard Worldwide, Discover Financial Services Inc., American Express Co. and JCB International Co., also includes as members hundreds of banks, payment transaction processors and other businesses involved in payment technology and services.
“Version 3.0 will help organizations make payment security part of their business-as-usual activities,” the council says in a statement issued today. It adds that the new version calls for an “increased focus on education, awareness and security as a shared responsibility.”
Although merchants and others involved in handling payment card account data don’t have to adhere to the more than a dozen new requirements under version 3.0 until Jan. 1, 2015, industry experts are advising merchants to start preparing for them now. Merchants who don’t comply with the standards risk paying fines or losing their ability to accept online payment card transactions from customers.
Michael Aminzade, director of compliance for Trustwave, a provider of data security technology and services with 36 clients among the Internet Retailer Top 1000, describes the following steps as the most important for online merchants to take under the revised standards:
● Make PCI compliance part of a daily routine. “Senior management will be responsible for ensuring someone is maintaining PCI controls and obligations at all times,” Aminzade says.
● Train temporary workers, including seasonal staff hired for peak holiday periods, in proper methods of handling and storing payment card account data.
● Develop better identification of the scope of the “cardholder data environment,” or CDE, including all systems that transmit, process or store cardholder data, and develop better policies of protecting information contained within that environment. “The risk for an organization of getting the scope of the CDE incorrect is that systems not included within the scope will not even be reviewed to check if they contain card data and the appropriate security controls in place,” Aminzade says. Merchants need to also be careful when forwarding card data for secure storage by outside service provides. The complexity of such data transfers have been known to leave merchants at risk of data breaches, Aminzade says. The new PCI standard, he adds, will insist that service providers use effective systems of credentials to access merchants’ customer card data.
● While encrypting data to protect it, also protect the encryption keys used to unlock the information. “Expect the updated PCI standard to tighten the rules around encryption key management,” Aminzade says. He advises merchants to use methods of key management available from industry groups including the National Institute for Standards and Technology, the Payment Card Industry Payment Terminal Standard and the SANS Institute. (SANS stands for system administration, audit, network and security.)
● Gear up for more effective “penetration testing,” the process of assuring that computer networks and software applications containing card data cannot be breached by criminals. “The next version of PCI DSS should greatly improve the quality of the penetration testing that is required,” Aminzade says. He advises merchants to follow penetration testing methods provided by industry organizations such as the Open Web Application Security Project and the National Institute for Standards and Testing.