• (800) 846-4472



PCI 3.0

Three ways to protect your business in 2015

The Payment Card Industry Security Standards Council® (PCI SSC), an open global forum that develops, maintains, and manages the PCI Data Security Standards (DSS), has released a new set of standards, PCI 3.0, which take effect on January 1, 2015.

The PCI SSC systematically reviews its rules and regulations to address ever-evolving security concerns, and releases a new set of standards every three years. The standards aim to protect and educate industry players such as merchants, processors, software developers, financial institutions and other organizations that store, process, and transmit cardholder data around the world.

Vantiv Integrated Payments understands that maintaining PCI compliance can be challenging at times, so we are here to help. What does PCI 3.0 mean for you? Following are three key themes of the new requirements, along with specific requirements for each.

1. Compliance is business as usual

Merchants who fail to make PCI compliance a priority may not understand that they are under a constant threat of a data breach. Compliance is not a one-time event, but a continuum that ebbs and flows as different factors present themselves in the credit card processing environment. The initial investment of time and company resources to achieve compliance will pay off. Making PCI compliance a part of your daily operations is much more sustainable and effective than treating it as an annual review process.

The requirements that fall under this theme include:

  • Req 1.1.1 – Establish a formal process for approving and testing all network connections and changes to the firewall and router configurations.
  • Req 1.1.7 – Review firewall and router rule sets at least every six months.
  • Req 9.1 – Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
  • Req 11.3 – Implement a methodology for penetration testing.
  • Req 12.2 – Implement a risk-assessment process that:
    1. Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
    2. Identifies critical assets, threats, and vulnerabilities, and...
    3. Results in a formal risk assessment.

2. Increased education and awareness

Unfortunately, small and medium sized businesses have become a large target for hackers seeking to steal credit card information. Oftentimes, these types of merchants do not have the resources or technological know-how to protect themselves. PCI 3.0 aims to educate merchants so they can recognize security threats sooner rather than later.

Understanding the flow of card data through your network will help you identify potential security threats, and recognize the areas of your business that are in scope of PCI compliance. PCI 3.0 contains card data flow diagrams and lists system components that need to be documented and maintained.

PCI 3.0 also places more emphasis on educating employees. Many PCI programs include online employee training, which make it easier for you to educate your staff. Your employees need to understand what they can do to detect and protect your business from intruders (i.e., not allowing unauthorized people to make changes to the POS). Merchant SecureAssist®, Vantiv Integrated Payments’ security solution offered in partnership with Approved Scanning Vendor Trustwave®, includes employee training programs, along with several other critical services.

The requirements that fall under this theme include:

  • Req 1.1.3 – Current diagram depicting all cardholder data flows across systems and networks.
  • Req 5.1.2 – For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
  • Req 7.1.1 – Define access needs for each role, including:
    1. System components and data resources that each role needs to access for their job function, and
    2. Level of privilege required (for example, user, administrator, etc.) for accessing resources. Req 12.6 - Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
    3. Req 12.6.1 – Educate personnel upon hire and at least annually.

3. Security as a shared responsibility

PCI compliance contains several moving pieces. Another focus of PCI 3.0 is to help merchants understand how all the pieces affect the card processing environment. The vendors who maintain your network and provide support may impact the security of your cardholder data environment.

Be sure you have written agreements with your POS provider that define the security requirements they manage, and those you manage. It is important to understand how your processor, POS reseller, and POS software all contribute to your compliance status. Ultimately, you are responsible for any card data compromises, so be sure that the people you work with are meeting the industry accepted guidelines.

The requirements that fall under this theme include:

  • Req 12.3.8 – Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. Ensure your vendor disconnects or has set up the session to automatically disconnect.
  • Req 12.6 – Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
  • Req 12.8 – Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data (e.g. resellers that manage or service your POS and network).
  1. Req 12.8.2 – Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customers’ cardholder data environment.
  2. Req 12.8.3 – Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

For more information and resources to help you maintain your security please visit the following links:

PCI Security Standards Council
https://www.pcisecuritystandards.org/

“Why Comply with PCI Security Standards”
https://www.pcisecuritystandards.org/security_standards/why_comply.php

Merchant SecureAssist ® Powered by Trustwave ®
https://pci.trustwave.com/Vantiv Integrated Payments

Cardholder Information Security Program (CISP)
http://usa.visa.com/merchants/protect-your-business/cisp/


At Your Fingertips

Download the EMV Handbook

The impending shift in liability for card-present fraud is driving a transition to EMV. Are you ready? This handbook can help you prepare.

Get ready for EMV. We can help.

Vantiv Integrated Payments is ready for EMV and has the technology and a network of providers that merchants need to enter the new era of payments.

Find a local POS Provider

This free service helps you find a POS provider who can help you identify and implement the best EMV solution for your business.


 
 
Thank you for your interest in
Vantiv Integrated Payments.
We just need a little info to get started.