Online vendors operating with the help of point of sale services and systems (POS) have consistently had a lot on their plates to deal with to stay compliant. However, their to-do lists could have an additional bullet point following the payment card industry’s data security standards (PCI DSS) changed earlier this year. Version 3.2 carries changes of considerable significance to even small online vendors.
With the newest payment card industry (PCI) changes rolling in, digital merchants are expected to comply with several additional security measures designed to improve safeguarding individual cardholder data. The new PCI DSS alterations may now affect the smaller vendors in a way that didn’t affect them before.
Previous PCI DSS Requirements
PCI DSS requirements have been focused particularly on general digital safety of the backend. Server configurations, connections, encryption, and so on are to be configured with compliance in mind. Here are a few of the most important PCI DSS requirements in place:
- A firewall configuration must be installed and maintained to protect card-holder data.
- Access to card-holder data must be restricted.
- Each person with computer access must be assigned a unique ID.
- Security systems and processes must be assessed regularly.
- All access to network resources and card-holder data must be monitored at all times.
- Physical access to card-holder data must be restricted.
- Anti-virus software must be utilized and kept up to date.
- Card-holder data must be encrypted whenever it is transmitted on a public network.
Front-end configuration and safety precautions have received little attention as of yet and the latest changes do not affect these. However, the recent changes to the PCI DSS are definitely important for digital retailers and are sure to impact smaller retailers in particular.
How This Round of Changes Impacts Retailers
The latest changes to PCI DSS now impose self-assessment of compliance on so-called level 4 merchants. These merchants were previously not required to submit the same formal documents as higher-level merchants. Thanks to the recent round of revisions, they can expect to deal with a few of these requirements now.
Source: Host Merchant Services and Visa
Level 4 merchants must submit a Self-Assessment Questionnaire (SAQ) to their issuing banks in order to remain completely compliant.
A Self-Assessment Questionnaire (also known as a SAQ) is a type of form that is intended to help the payment card industry keep track of compliance with important security measures for securing users’ card information as it is captured, transmitted or otherwise used on a digital merchant’s network or platform. These forms are to be submitted by all eligible organizations to report their own PCI DSS results.
Merchants in the 4th tier are no longer exempt from this requirement despite operating with fewer than 20,000 transactions (or 1 million transactions total).
The newest PCI DSS changes are not merely confined to smaller retailers, though; even level 1 vendors are expected to abide by a revised set of rules. For level 1 merchants, compliance is even more stringent than before. These high-volume vendors are now required to submit annual computer system audits and quarterly network scans to stay out of trouble.
Computer system audits or “Information Technology Audits” can range in complexity and duration depending on the network under inspection. For many level 1 merchants, this constitutes a significant investment of time and resources to accomplish, due to the general size of their network systems. An important aspect to take note of as a network that necessitates a month-long audit must be accommodated ahead of time.
Network scans do not take nearly as long to complete; up to 4 hours in the most trying of conditions. However, level 1 merchants must schedule these appropriately to avoid missing a quarter.
PCI DSS Compliance Requires Compliant Providers
As we mentioned above, most of the crucial elements of compliance with the rules contained in the PCI DSS is that of proper backend configuration, and through careful management of the PCI security controls. It’s important to keep in mind that the burden of compliance is shared between your organization and your providers.
OnRamp owns and operates PCI-compliant data centers to deliver secure colocation and cloud services. You can expect the necessary firewalls, encryption, logs, authentication implements and more for keeping up with increasingly stringent regulations in the PCI DSS. EPMG Advisors, a leading secure payment management services company, partners with OnRamp to deliver end-to-end secure payments.
“Cybercrime costs have exceeded well over $2.8 trillion. If there’s money to be made, criminals will continue their attacks on any size business. Any organization that handles cardholder data has the obligation to its customers to make sure security is a priority at every level of their organization. If security is not imbedded into the company’s DNA, it’s not a matter of if you’ll get hacked, but when. Every organization should build a culture of security that is layered. These layers should prioritize your people, your process, and the technology used,” says Managing Director & Chief Payments Officer, Michael Casey of EPMG Advisors.
If your organization doesn’t have the resources and expertise to manage PCI compliance, ask us how we can assist.
Additional Resources on This Topic: