From PCI compliance to loyalty programs, ensuring customers that their private information is secure is essential in gaining their trust. But the rules keep changing so retailers need to stay focused to remain in compliance with current security standards.
By Pat Pape, Contributing Editor.
In November, the Payment Card Industry Security Standards Council (PCI SSC), the global forum for establishing payment card security standards, released Version 3.0, the first standards update in three years. While the new standards officially go into effect on Jan. 1, 2014, Version 2.0 remains active until Dec. 31, 2014 to give merchants adequate time to make the transition.The updated standards have three primary objectives:
• To make third-party service providers more responsible for payment card security.
• To better educate everyone—not just IT auditors—about the standards.
• To make payment card security a priority for all employees in an organization, not just members of the IT team.
The Version 3.0 update is expected to make payment card security, “business as usual as opposed to a once-a-year compliance issue,” said Bob Russo, general manager of PCI SSC. “The goal is to make the standards more user-friendly, while increasing education and awareness and achieving greater flexibility for the small merchant.”
Like small businesses everywhere, convenience store operations without an established IT department must outsource technology and security requirements. “But you’re still responsible for [the companies] you outsource this to,” said Russo. “You need to be sure that the third-party providers you use to do your processing are secure and PCI compliant.”
Version 3.0 makes third-party providers more accountable to their clients for ensuring credit and debit card security.
In the past, merchants were required to change default passwords for the software they purchased, “but the enforcement of that has been challenging,” said Troy Leach, the chief technology officer for PCI SSC. “Vendors created applications that they would sell, and in the instruction manual, it would say that you had to change the password. But merchants would think that they had just purchased a compliant piece of software and often didn’t make the required password change. We’ve added a new requirement that says the onus is on vendors to educate their customers as to any additional responsibility that comes with buying software.”
Forensic evidence suggests that 90% of past data breaches have a third-party relationship associated with them. “We want to make sure those third-party relationships understand that they still have a responsibility—if not directly, indirectly through their customers—to protect card data after the product is in the customer’s hands,” Leach added.
In addition, third-party providers must take precautions to secure their own data just as merchants are required to do. One new standard obliges third-party providers to use a separate internal password for each individual client they serve.
“We’ve seen a series of data breaches in the last couple of years where the third-party providers used a single password—an alphanumeric password with seven characters or more, which was PCI compliant—for each and every merchant in their portfolio,” Leach said. “Once criminals discovered that one password, they were able to compromise multiple independent merchants. That was a very surprising discovery.”
Is Your Provider Compliant?
To ensure you are working with a PCI-compliant vendor, “you have to do your homework,” Russo said. “You need some sort of proof that they’re PCI compliant. Are they listed on the Website of one of the card brands? The Websites [Visa, MasterCard, etc.] list the PCI compliant vendors.”
As for researching the technology supplied by a third-party provider, merchants can go to the PCI Website, www.pcisecuritystandards.org, to see if their recommended applications and POS devices are designated compliant. “They’re listed on our Web, along with descriptions, serial numbers and photos,” Russo said. “If you’re a small merchant and you’re not really into technology, you can have a look and see if the picture of your device is there.”
Because businesses of all sizes are responsible for the proper handling of credit and debit card data, PCI SSC works closely with trade associations, such as the National Association of Convenience Stores (NACS) and the National Restaurant Association (NRA), to communicate the importance of ongoing security.
“They have the touch point with smaller merchants and are getting the word out about what they need to do to protect themselves,” Russo said.
As evidenced by past security breaches, theft of credit or debit card information can be a business debacle, resulting in fines for the retailer and even consumer and shareholder lawsuits. “That certainly would take your mind off running your business,” Russo added.
Most employees believe IT security is the duty for the organization’s technology team, but it’s actually the responsibility of everyone in the organization, said Leach. That is why PCI is working to educate everyone from software developers to the salesperson at the cash register.
He recalled one data breach after which several members of the software development team were brought together to discuss the problem. When asked if they’d followed PCI requirements in creating the product, team members asked, “What is that?” Not a single one was familiar with PCI best practices.
“You can only secure an application so much after it’s been developed,” Leach said. “We need to educate developers before the application is created. More people are becoming aware that security should be a part of the entire lifecycle of a product—not only in development and design of the product, but also in continuing to evaluate the product for potential new threats.”
The new PCI standards also cover training for associates on the sales floor so they will be alert to potential threats to payment card data, such as device tinkering and substitution.
“There is a lot of stuff in there that deals with how you accept a credit card, what the payment devices look like and how to make sure that they haven’t been tampered with,” Russo said.
Brett Stewart, an Austin-Texas-based network and security expert and technology patent holder, appreciates that PCI has “given everybody until the end of 2014 to wrap their heads around this.”
But he also believes the 100-plus page compliance document has been enhanced by the recent update. “It clarified things that were ambiguous or fixed problems that existed in previous versions,” he said. “Small merchants can still self- access, or you can hire vendors to do this for you.”
The latest changes will help retailers, both large and small, move from a check-the-box mentality to integrating security processes into daily business practices. “The whole goal of the standards is to make security practices routine in places where they haven’t been,” he said.