Security
PCI Compliance Changes | Storm Internet
Version 3.0 of PCI Data Security Standard has been in effect since 2015 but many merchants who process credit card payments are still confused about what the changes are and how exactly they affect your business. In this article I will explain what changes you really need to pay attention to and how they will affect your business.
The majority of the changes to PCI DSS are clarifications of requirements that were already being fulfilled but they do have an impact on everything from control for tampering, to formally documenting the responsibilities of both merchants and service providers as well as a host of other effects for any business that processes credit card payments online.
There are 3 Major Issues that you need to concern yourself with if you run a business online that takes credit card payments, they are:
- The definition of scope
- Segmentation
- New merchant and provider requirements
- Tampering with point of sale devices
Let’s start with issue # 1: The definition of scope
One of the more complicated issues related to PCI compliance is the definition of scope. There are now over 200 sub requirements in PCI DSS, many of which are not known by most business owners. The days of being able to simply run a vulnerability scan are over.
Because of information sharing and the fact that most businesses use what’s known as a “flat network” with only the connection to the internet connection is protected by a firewall and every server can communicate without additional layers of security between them, hackers can gain access to credit card information without even directly attacking the system that credit cards are processed through. This means an enterprising hacker can simply find the path of least resistance into the system and then gain access to the credit card information from within. Similar to the scene in horror movies where the babysitter realizes that the call is coming from within the house!
Because of this loophole in the system, PCI DSS compliance is required on all systems including those that actually deal with credit card information and their security systems.
Let’s now move on to issue # 2: Segmentation.
One of the proposed solutions encouraged by PCI is segmentation of netowrks using firewalls to keep the systems that deal with credit card information separate from the other servers, and parts of the network. As of July of last year, version 3.0 of PCI requires an annual penetration test to make sure that the chosen methods of segmentation are both “operational and effective.” Take a moment after reading this article to check you own segmentation to make sure it is effective and not just providing a false sense of security.
Another issue that you need to pay attention to if you’re a business owner who takes payments online is # 3: New merchant and provider requirements.
The new adjustments to the PCI also affect any third-party that comes into contact with or could otherwise compromise the security of data on behalf of the merchant. This could be anything from a service provider that works on your firewall, a support center or even your online cloud service provider.
Merchant/Provider agreements were in the news during the most recent breach of Target’s customer data which is believed to have started from a cyber break in of a HVAC contractor.
PCI DSS 3.0 has created new requirements to make responsibility clearer both before and after a potential attack. There is now formal documentation required to explain who is responsible for which PCI requirements, and as of July of 2015 all service providers are required to acknowledge responsibility for PCI compliance.
The last issue I want to address in this article # 4: tampering with point of sale devices.
Tampering is a major problem at places as diverse as gas station pumps and ATM machines. Often times thieves will place skimmers, or hidden cameras under these point of sale devices and steal information as well as potentially gaining access to the system. As of July 2015 there is a new PCI requirement which states that all devices much be regularly checked for signs of tampering.
While it would be almost impossible to detail all of the changes that have occurred due to PCI DSS 3.0, in this article I have outlined and discussed the 4 most important changes that you need to be aware of. While PCI DSS 3.0 went into effect on January 1st 2015, there were a lot of requirements including several of the ones mentioned in this article which did not go into effect until over 6 months later in July.
Now that I have refreshed your memory on the updated requirements of PCI DSS 3.0 you should check to make sure that your business and all of it’s subcontractors and service providers are in full compliance.
If you’d like further information on how Storm Internet can help you with PCI Compliance, get in touch with us by clicking here. Or call us on 0800 817 4727
More related news
Managed Hosting
How to manage the rising costs of cloud
Cloud service providers are increasing their prices, straining the budgets of SMEs...
Managed Hosting
Enhancing Efficiency and Innovation: The Strategic Advantage of Outsourcing DevOps
In the United States, your average DevOps engineer will make anything from...
Managed Hosting
Maximising Digital Performance: Strategies for Speed Optimisation on Websites and Platforms
We live in an age where instant gratification is the norm. Our...
Speak with a Storm Expert
Please leave us your details and we'll be in touch shortly
For security of your account, please submit all support request by logging into your account portal. Technical support or account information/update requests submitted via this form will not be actioned. If your issue is urgent, please click the LiveChat link above to contact a support technician.
This form is to be used only by individuals who are not already customers of Storm Internet. If you are a customer and wish to raise a complaint, please log into your account by clicking here and raise a ticket specifing "Complaint" as the Issue Category.We take every complaint very seriously and a member of our customer service team will personally review your feedback. Please expect a response within 5 working days. All legal correspondence must be sent to our head office address as listed on this page. We will not accept legal notices sent to us electronically.
Unfortunately your enquiry could not be submitted.
To talk with one of our sales team, please call 0800 817 4727 or click here to start a Live Chat
Unfortunately your enquiry could not be submitted.
To talk with one of our sales team, please call 0800 817 4727 or click here to start a Live Chat
A Trusted Partner
