At the end of June, merchants that accept payment cards have five new security requirements to comply with -- and significant fines and other costs if they don't.
The new rules are part of the new Payment Card Industry Data Security Standard. Here is some advice from Trustwave Holdings, a PCI compliance consulting firm.
1. Be sure to log customers out
Your customer is at a public kiosk at an airport and visits your site. Maybe they want to buy something, or check prices. The boarding announcement comes over the loudspeaker, they close out the browser, and run off to get on the plane.
Did you log them out? Or is their session still active -- and available to whoever uses the kiosk next?
"This primarily affects merchants that develop their own applications," said Don Brooks, a senior security engineer at Trustwave. "But if you have an application that you bought from a vendor, you need to call and make sure the vendor has taken care of this."
You can outsource the responsibility, he said, but not the liability.
"If you're working with a third party, make sure they're doing the right things," he said.
In a related authentication issue, a customer's account needs to be locked after three to five attempts, to keep out hackers trying all possible passwords.
2. Unique credentials for all employees
PCI has long had a requirement that each employee has to have their own login credentials to sensitive systems.
That way, if something goes wrong, you at least know who was responsible.
Now, this requirement extends to third-party providers, as well.
Not only must each employee have their own user account, but they need to have different user accounts for each customer they work with.
"Otherwise, if someone can figure out how to break into one, they can break into others," said Brooks.
3. Service providers must accept responsibility
Third party service providers must now acknowledge, in writing, that they are responsible for keeping cardholder data safe. Before, they just had to say that they would be PCI compliant -- this takes it one step further.
If there's a breach, the merchant is still going to be the one hit with fines and other costs.
"But if there's gross negligence, you could pursue litigation for reimbursement," said Brooks.
Say, for example, the service provider has a single access credential for all their employees and customer accounts, which leads to a breach.
"If you find out that the service provider wasn't doing all the things they needed to do, you could sue them in civil court," he said.
4. Protect payment terminals
Merchants have long been expected to make sure their point of sale devices were secure, but now there's a specific requirement to do regular inspections of devices to ensure that they weren't tampered with.
For example, when cashiers start their shifts, they can be trained to inspect their terminals to make sure they haven't been touched. These employees use the equipment on a regular basis, and would be the first to notice if something had changed.
"The real risk is that a bad guy comes in and swaps your terminal or tinkers with it," Brooks said.
5. Pen test your PCI environment
Penetration has been part of the PCI DSS since version 1.2, but there were few concrete details about exactly what this meant.
"If you go to five different vendors, you'll get five different offerings," said Brooks.
Now, there are specifics.
"There was some guidance that was issued a couple of weeks ago," he said. "The focus now is to test from any internal locations that aren't part of the cardholder environment into the cardholder environment. To check the walls that we built to keep the PCI environment safe from everywhere else."
Fines, fees, and penalties -- oh, my!
What happens to merchants who don't comply? It's going to cost them some money.
"Often we see fines in the $100,000 to $500,000 range," he said. "But that is just the beginning."
A breach that results in the loss of 10,000 credit card numbers will result in a fine of about $250,000 from the card brand.
Small merchants that previously were able to self-assess may now be required to hire auditors to do their PCI assessments, which will add between $50,000 and $100,000 in expenses.
Then there are the costs of issuing new cards, paying for credit monitoring -- and the loss of customers who've heard about the breach and don't trust you any more.
The biggest change, of course, is the liability shift. If there is a fraudulent purchase -- and the merchant hasn't yet upgraded to the new EMV smartcard readers -- then the merchant is responsible for the losses. This goes into effect in October.