If your business accepts credit cards, there are new security regulations that require your attention. The deadline for mandatory changes to version 3.0 of the Payment Card Industry Data Security Standards (PCI DSS) is June 30, and it's not just your vendor's responsibility to stay compliant.
Although most credit card processors and point-of-sale (POS) system providers have already taken the steps to address these changes, businesses and merchants must also ensure compliance to avoid hefty fees.
As a small business, however, it's easy to feel overwhelmed by these changes. The first step is to talk to your vendor about the new regulations, how they are helping you stay compliant and if there's anything that needs to be done on your end. Additionally, there are several action items that you can take to make sure your business is on the right track. [Accepting Credit Cards? PCI Compliance a Concern for Small Businesses]
To help businesses stay compliant, Don Brooks, senior security engineer at Trustwave, a security services company, offered the following tips on how businesses can meet PCI 3.0 standards — and what will happen to companies if they don't.
"Beginning June 30, under the PCI DSS 3.0 and 3.1, any business that stores, processes or transmits payment card data and third party service providers who work with businesses will need to make the following changes," Brooks said.
- Make sure you have added protection for in-store POS systems. Businesses must maintain a list of POS devices and periodically inspect them for tampering or substitution. Companies must also train employees to spot any red flags of suspicious behavior and to report tampering or substitution of the devices. Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. Such thieves also try to add "skimming" components to the outside of devices, which are designed to capture payment-card details before they even enter the device. The new requirement helps businesses flag a POS device if it is breached and determine what actions to take so that any damage is minimized.
- Perform penetration testing based on industry standards. Businesses must conduct penetration testing that covers the entire card-data environment perimeter and critical systems, such as ways and backdoors in which unauthorized users can access systems. Companies must also validate any segmentation and scope-reduction controls. The standard also specifies what application-layer and network-layer tests should include. Businesses must also report any threat vulnerabilities they have experienced in the last 12 months and explain how they will repair weaknesses uncovered from penetration tests. Businesses should also test authenticated and unauthenticated areas of their applications.
- Verification that broken authentication and session management are addressed. Businesses must examine software development policies and procedures, and interview responsible employees to verify that broken authentication and session management are addressed via coding techniques. This includes flagging session tokens (for example cookies) as secure, not exposing session IDs in the URL, and incorporating appropriate time-outs and rotation of session IDs after a successful login. This requirement helps prevent unauthorized individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
While these steps may sound overly technical, particularly for a small business, discussing them with your vendor can help ease your worries. Additionally, third-party service providers should acknowledge in writing that they are also responsible for the security of cardholder data, Brooks said.
PCI 3.0 noncompliance fines
Businesses that fail to meet the new standards could face all sorts of huge fines from both security regulators and card brands.
"The initial fine is typically between [the] $100,000 to $500,000 range," said Brooks. "Merchants that process more than 6 million payment-card-data transactions annually could face $50,000 to $100,000 in additional expenses."
Factors like the size of a business, a history of previous security breaches and past noncompliance can also affect these amounts, Brooks added. There may be other fees on top of these fines, such as a $50 re-issuance fee for each compromised card, $2 credit monitoring per customer and a $250,000 fine from card brands if the breach affects more than 10,000 cards.
For more information on PCI 3.0, visit PCI's summary of changes.