The changes to PCI appear to be minor in the grand scheme of things, however the Payment Card Industry Data Security Standards 3.0 (PCI DSS 3.0) has great advantages. These include clarity on security standards, real-life examples and new standards that are flexible – allowing merchants to meet the requirements of PCI DSS 3.0.
In Part 1 we went over the basis of the update and named some key components. Below you will find more details on what PCI Compliance 3.0 means to your business.
What are the key themes of PCI DSS 3.0?
Education & Awareness
- There has been a combination of a lack of education, awareness, poor implementation and maintenance of the standards. This is a key component to many security breaches that happen today.
- The new version calls out to establish better processes and accountability to meet and maintain secure payments.
- Payment technology that has security features does not account for your organization’s need to be PCI Compliant.
A More Customizable Approach
- The new update will be focused on adding flexibility to avoid some most frequently seen risks that lead to comprised cardholder – weak passwords/authentication, malware and poor self-detection of data breaches to name a few.
- Merchants and organizations will now have the flexibility to approach, address and mitigate these common risks.
- More rigorous testing procedures will help validate implementation of PCI DSS requirements and help keep organizations safe.
Security Is A Shared Responsibility
- To mitigate the confusion around where responsibility lies for cardholder data between merchants/organizations and service providers (ie. Banks, VARS, gateways…etc.), the new version adds and clarifies where responsibility lies.
- Both parties must be responsible cardholder data.
- Merchants can’t delegate accountability of cardholder data.
How will this affect your business?
The new standards could place more responsibility on organizations, as there will be a clarified common definition and approach to achieve compliance. These standardizations will decrease inconsistencies with assessment. It’s possible that this may increase/decrease the costs of audits, as it may be more time consuming or efficient.
The new requirement to “maintain an inventory of system components in scope for PCI DSS” may create volatility for in-scope systems which would ultimately affect your organization should you have to constantly update to these in-scope systems.
It is still not certain what the Council will recommend however the update will focus on refined training of POS devices to avoid theft/breaches. There may be technological components associated however it’s unknown.
Frequent Security Breaches
An updated list of common vulnerabilities is to be provided. This could constrain organizations to worry only about what’s on this list and not beyond. Increasing merchants and organizations risk to data breaches.
The intentions of these updates are in the best interest of the merchant and organizations. In fact they should be easier for merchants to follow and stay safe from credit card fraud.
Security is a duty. Companies should remind themselves that their customers are entrusting them with their personal data.
Want to stay ahead of the curve in Data Security? Contact us to learn more about PCI Compliance.