Deadline looms for PCI 3.0 requirements

If your company accepts credit card payments and processes cardholder data, then there are some significant changes to security requirements coming down the pipe that you should be aware of.

In a few weeks, the bar will rise for companies who take credit card payments online. June 30 is the last stage of the Payment Card Industry Security Standards Council’s implementation of PCI DSS 3.0. Until now, many of the requirements in the standard were considered little more than best practice, but as of June 30, they will turn into mandatory ones. There are a few hoops to jump through, if you haven’t already:

Session management
Companies who haven’t already done so will have to verify that they have addressed broken authentication and session management, to stop attackers from stealing legitimate account login details or session tokens.

POS protection
Merchants must physically protect card readers to prevent skimming and other reader tampering devices. This applies specifically to merchants involved in ‘card-present’ transactions. That means that point-of-sale devices that have already been configured to deal with this must be taken care of by June 30. Companies must also maintain an inventory of all card swiping devices, and train staff on the importance of physical card security.

Penetration testing
Companies must adopt an industry-accepted approach for the penetration testing (ethical hacking) procedures used to secure their networks. Testing must include internal and external tests for all components of the system that hold credit card data, and must also cover both the network and application layers. This requirement also mandates that companies retain documentation of both the testing and the remediation results according to a formal schedule.

Service providers
The above requirements just about covers it for merchants, but service providers have two extra hoops to jump through. They must use unique credentials to access customer systems remotely, rather than a single password for all accounts. Third party companies who are responsible for the security of cardholder data must also acknowledge that in writing to customers.

The Payment Card Industry (PCI) Council also recently updated its security standard with new encryption technology baseline that could have an impact on your security infrastructure.

In mid-April, the Council introduced version 3.1 of its PCI Data Security Standard (DSS) document for merchants that accept credit card payments. It is a relatively minor release in most respects, but it does make a significant change, concerning Secure Sockets Layer (SSL), and Transport Layer Security (TLS).

Both of these encryption standards are designed to protect data in transit between devices and online applications. They have been proven vulnerable, with the most recent vulnerability discovered by Google. Its researchers found a flaw called POODLE last October. This revolved around the standard’s use of RC4, which is an encryption algorithm that had long since been proven to be vulnerable.

Last year, the US National Institute of Standards and Technology (NIST) updated its own guidelines on TLS encryption. Vulnerabilities in TLS 1.0 make it inappropriate to use, meaning that organizations should move to version 1.1 or 1.2 of the encryption standard, said the NIST document. The PCI Council has adopted this recommendation in PCI DSS 3.1.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Danny Bradbury
Danny Bradburyhttp://www.wordherder.net
Danny Bradbury is a technology journalist with over 20 years' experience writing about security, software development, and networking.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now