Version 3.0 of the Payment Card Industry Data Security Standard has been released. Trustwave, a information security technology and services company, highlights some of the key changes:
1. Greater technical controls. If you have an e-commerce site, even if it doesn’t handle customer payment card data, there’s a good chance that you now have to apply a considerable number of technical controls. Those merchants that complete a self-assessment questionnaire (SAQ) will want to take a look at SAQ A-EP. Up until now, most e-commerce merchants that outsourced the payments portion for their site completed a short survey that focused on whom they outsourced the site to. The challenge in this scenario has been that many merchants have grossly neglected security or have been put under the impression that it wasn’t required. This has led to an environment where hackers have “hijacked” the process where customers are redirected to the third party for payment acceptance. This new SAQ hopes to help close that gap.
2. Increased penetration testing requirements. Not only are the rules for penetration testing more stringent, but the new version of the standard mandates that merchants or service providers who segment their network (many of whom use SAQ C and D today) now will have to prove that segmentation with a penetration test.
3. Physical security for POS terminals. Terminals need to be catalogued and inspected on a regular basis to ensure they haven’t been tampered with.
4. More explicit service provider responsibility. It’s not enough for service providers to say they’re compliant. They need to acknowledge which requirements they will handle (versus those that you will handle). Many merchants outsource responsibility but fail to realize they not only hold most of the liability but also could be responsible for a large portion of compliance.
For more info on this topic, watch the AH&LA member webinar “PCI 3.0 Is Here—How to Prepare” on www.ahla.com.