Companies that accept credit card payments and process cardholder data are facing some significant changes that they will need to comply with by 30 June.
This is a result of new Data Security Standard requirements from the Payment Card Industry Security Standards Council, known as PCI DSS 3.0. This will see many of the things that were previously only seen as best practice become mandatory.
Key changes include a requirement for businesses to verify that broken authentication and session management are addressed. This will help prevent unauthorised individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable the intruder to assume the identity of an authorised user.
In addition any third-party service providers with remote access to customer premises must use a unique authentication credential for each customer. Providers must also go through additional testing to examine authentication policies and procedures and interview personnel to verify that different authentication is used for access to each customer. Third-party service providers must acknowledge in writing to customers that they are responsible for the security of any cardholder data they process or store.
Businesses must add protection for in-store point-of-sale devices too. This includes the need to train employees on how to be aware of suspicious behaviour and to report tampering or substitution of the devices.
Finally, businesses need to implement a new penetration testing methodology based on industry-accepted approaches. Penetration testing must cover the entire card data environment and critical systems as well as validate any segmentation and scope-reduction controls.
There will be further tightening for online transactions thanks to the National Institute of Standards and Technology (NIST) guidance that SSL is no longer considered adequate for transport layer security and recommending migration to TLS 1.2 instead.
PCI DSS 3.1 will require organisations accepting payments online to use TLS. This should have minimal impact on consumers provided they're using a recent browser version.
Michael Aminzade, VP Global Compliance & Risk Services at Trustwave says, "Organisations had 18 months to comply with PCI 3.0 because of the need to replace kit and update software on retail sites. We expect a tighter timeline for TLS implementation as it's easier for merchants to turn off earlier software versions and update security certificates".
More information about PCI DSS standards and what they mean for businesses is available on the Trustwave website.