How PCI DSS 3.0 impacts business owners
by Mark Burnette - Partner with LBMC Security & Risk Services - Tuesday, 2 September 2014.
If your business processes, transmits, or stores credit card data, you are subject to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS 3.0 went into effect in 2014, and introduced new rules and a clarified direction for the guidelines. Among the most important things for a merchant to know about the PCI DSS is that itís constantly evolving, so staying current is an important responsibility.

Remember, these industry-created, industry-maintained, and industry-enforced security rules were designed to standardize security best practices for merchants Ė and curb costly credit card data thefts.

Based on insight from security experts, the card brands, and merchants, the PCI Security Standards Council periodically refines the guidelines to reflect current data security risks and best practices. While the changes are intended to help merchants make transactions safer for themselves and consumers, updates to the rules can also be highly confusing for business owners.

What do you need to know about the new version, and how can you prepare for more changes on the horizon?

Which version?

Non-compliance with PCI rules can result in serious fines: anywhere from $5,000 to $100,000 a month, with the punishments getting more severe if you experience a data breach while out of compliance. If you refuse to fix your problems, you could even lose your ability to take credit cards.

Right off the bat, you should know that you donít have to scramble if youíre not up to date with the new changes. Hereís why: Version 3.0 of the PCI compliance guidelines went into effect on January 1, 2014, but merchants have until 2015 to familiarize themselves with the new rules. For this year only, you may choose to demonstrate compliance against either Version 2.0 or the new Version 3.0.

Which should you choose? That depends entirely on your priorities. If youíre eager to settle your PCI responsibilities, or if the nature of your business means data security is a particularly complex proposition, then it may make sense to get ahead of the game as soon as possible by validating against version 3.0. Similarly, if youíre only just now getting into compliance for the first time, then you might as well get into compliance with the rules that will be mandated in less than five months.

However, letís say youíve already demonstrated compliance against Version 2.0, and you have other challenges and business priorities on your plate. In this case, you may choose to validate against version 2.0 again this year, but itís important that you get acquainted with the changes that are on their way, so youíll be prepared when they go into effect on January 1, 2015.

Whatís changed?

What do those changes look like? Existing rules have been revised and some new rules have been added. Overall, Version 3.0 works to bring greater clarity and standardization to the rules, helping to make them more precise and easier to understand.

What does this mean in practical terms? Previously, merchants were simply required to conduct a penetration test, which is a serious effort by security experts to break into your systems and identify points of vulnerability in your network. But not every merchant knew what constituted a serious test. Some merchants reported results from free vulnerability scanning tools or ďDIYĒ penetration tests - conducted by unqualified internal IT personnel Ė and these methods simply didnít provide the kind of robust verification that the rule was created to enforce. These merchants had met the letter of the rule, but not the spirit, potentially opening themselves and their customers to data theft in the process.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th