You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.
PCI Data Security Best Practices
In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.
The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”
The two requirements that could most affect your organization are Requirements 12.9 and 9.9.
- Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
- Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards. It is always best practice to document in detail when testing for PCI or communicating with your vendor.
Remaining Three Best Practice PCI Compliance Requirements
The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.
- Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
- Requirement: 8.5.1 – Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
- Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing. See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.
The End of Outdated Secure Sockets Layer Encryption Protocol
Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.
Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.
We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy. Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.
By Joe Welker, CISA (New Philadelphia office)