As of November 1, 2016, the PCI SSC (Payment Card Industry Security Standards Council) considers PCI DSS 3.1 officially retired. According to the PCI SSC, all retail businesses should implement the new regulations published in the Payment Card Industry Data Security Standards (PCI DSS) version 3.2. Businesses must take steps to comply with the new rules before 2018 to avoid noncompliance penalties. If you’re a retailer who handles payments online, here’s what you need to know:
PCI DSS Version 3.2 Rules Enforcement
The update to the standards occurred in early 2016 and took effect on November 1, but the regulatory agency will consider the changes as best practices until February 1, 2018. At that time, they will enforce all new requirements. Many of the changes within PCI DSS 3.2 directly affect online retailers who use third-party payment processors. The standards may not apply to companies that completely outsource purchase and payment processes or exclusively use mail and telephone order processing.
Why the Need for Updates?
An increase in Man in the Middle (MitM) attacks, database hacks, and point-of-sale (POS) incidents in the payment card industry fueled the development of version 3.2. In MitM attacks, hackers impersonate a person during the transaction and redirect data as it’s transmitted from checkout to payment processing. Recent studies have shown there are vulnerabilities associated with particular credit card types. For instance, a 2016 study by Newcastle University revealed that certain attacks only work against Visa’s payment methods—and the research team even created a video, “How it takes just six seconds to hack a credit card” to demonstrate their findings.
What’s New in PCI DSS Version 3.2?
The updated rules affect requirements 3, 6, 10, 11, and 12 of the PCI DSS. New sub-requirements alter section 8. Under the new payment cards data security rules, significant e-commerce changes include:
- Under requirement 3.3, all businesses that need to display more than the first six or last four digits of a primary account number (PAN) need a legitimate reason for doing so.
- Requirement 3.5.1 commands all service providers (including online retailers or their payment processors) to create and maintain documentation for encryption practices for cardholder data environments.
- Subsections of requirement 8.3 now require multifactor authentication for individuals with the ability to access cardholder data remotely.
- Under requirement 10.8, service providers must create time-sensitive detection and reporting processes for critical security systems, including devices. Service providers must also create recovery plans and swiftly address all failures. The new requirement affects card service providers and arises from cyberattacks such as the Target breach in 2013.
- Requirement 22.214.171.124 asks service providers to perform biannual penetration testing on all segmented controls.
- Section 12 requires that company leadership establish accountability for cardholder data protection including the creation of a compliance program.
When the changes go into enforcement in 2018, online retailers should demonstrate strong security controls for card processing by creating unique access controls, eliminating default passwords, and practicing ongoing security evaluations to optimize data security practices. Migrating to version 3.2 compliance activities sooner rather than later is one important security step.
Avoid the Costs of Noncompliance
The PCI DSS is not a federal regulation. It is a joint effort among the top payment card brands in the world to encourage strong security practices and reduce risk. While the standards are not laws, failure to comply can mean steep fines from their acquiring banks and the revocation of privileges in credit card acceptance. Depending on the situation and your business type, you may have to pay $5,000 to $500,000 a month in fines until the issue is resolved. PCI DSS is all about minimizing risks and clarifying accountability for cybersecurity practices within the payment cards industry.
In the event of a data breach, compliance also significantly reduces a merchant’s liability. Those who follow the recommended standards and use authorized payment devices, for instance, may not face the same amount of liability risks as a merchant who uses untested and potentially compromised systems. Following PCI DSS enables online retailers to protect themselves from the risk of a security event and the subsequent aftermath.
To avoid thousands of dollars in fines that compound over time, retailers who handle cardholder data should collaborate with compliance-friendly managed hosting services to streamline security practices. Companies that specialize in PCI DSS hosting solutions offer the technology and proper processes to improve your security and compliance methods.
For example, 256-bit AES encryption and logged backup storage for data at rest helps businesses that do store data to comply with requirement 3. Integrated solutions such as automated vulnerability scanning, firewall maintenance, and log monitoring work can reduce oversight and simplify the compliance process. Look for hosting solutions that match PCI DSS requirements. Ask service providers about version 3.2 compliance, and incorporate security into core business practices.
Recognize the Benefits of PCI DSS Rules
You should consider PCI DSS as a foundation for a strong cybersecurity strategy. It will not eliminate the threat of a security breach, but it will reduce your risks greatly and facilitate the recovery process should something occur. While the rules appear daunting at first, they represent core practices security professionals recommend and that ultimately can save your business.
If you process payments at a pharmaceutical company, a boutique e-commerce shop, or a large multinational corporation, you may fall under the scope of PCI DSS. It’s wise to start the process now by building a culture and infrastructure of compliance.
Additional Resources on This Topic:
PCI DSS Resource Guide
5 Ways to Protect your Customers’ Credit Card Swipes
New Payment Data Card Security Rules Place New Duties on Online Retailers
Why Your Company Needs the Payment Card Industry Data Security Standard