Five tips to comply with the new PCI requirements

At the end of June, merchants that accept payment cards have five new security requirements to comply with -- and significant fines and other costs if they don't.

The new rules are part of the new Payment Card Industry Data Security Standard. Here is some advice from Trustwave Holdings, a PCI compliance consulting firm.

1. Be sure to log customers out

Your customer is at a public kiosk at an airport and visits your site. Maybe they want to buy something, or check prices. The boarding announcement comes over the loudspeaker, they close out the browser, and run off to get on the plane.

[ ALSO:  PCI Shrugged: Debunking Criticisms of PCI DSS ]

Did you log them out? Or is their session still active -- and available to whoever uses the kiosk next?

"This primarily affects merchants that develop their own applications," said Don Brooks, a senior security engineer at Trustwave. "But if you have an application that you bought from a vendor, you need to call and make sure the vendor has taken care of this."

You can outsource the responsibility, he said, but not the liability.

"If you're working with a third party, make sure they're doing the right things," he said.

In a related authentication issue, a customer's account needs to be locked after three to five attempts, to keep out hackers trying all possible passwords.

2. Unique credentials for all employees

PCI has long had a requirement that each employee has to have their own login credentials to sensitive systems.

That way, if something goes wrong, you at least know who was responsible.

Now, this requirement extends to third-party providers, as well.

Not only must each employee have their own user account, but they need to have different user accounts for each customer they work with.

"Otherwise, if someone can figure out how to break into one, they can break into others," said Brooks.

3. Service providers must accept responsibility

Third party service providers must now acknowledge, in writing, that they are responsible for keeping cardholder data safe. Before, they just had to say that they would be PCI compliant -- this takes it one step further.

If there's a breach, the merchant is still going to be the one hit with fines and other costs.

"But if there's gross negligence, you could pursue litigation for reimbursement," said Brooks.

Say, for example, the service provider has a single access credential for all their employees and customer accounts, which leads to a breach.

"If you find out that the service provider wasn't doing all the things they needed to do, you could sue them in civil court," he said.

4. Protect payment terminals

Merchants have long been expected to make sure their point of sale devices were secure, but now there's a specific requirement to do regular inspections of devices to ensure that they weren't tampered with.

[ ALSO 5 ways PCI is becoming more security-conscious next year ]

For example, when cashiers start their shifts, they can be trained to inspect their terminals to make sure they haven't been touched. These employees use the equipment on a regular basis, and would be the first to notice if something had changed.

"The real risk is that a bad guy comes in and swaps your terminal or tinkers with it," Brooks said.

5. Pen test your PCI environment

Penetration has been part of the PCI DSS since version 1.2, but there were few concrete details about exactly what this meant.

"If you go to five different vendors, you'll get five different offerings," said Brooks.

Now, there are specifics.

"There was some guidance that was issued a couple of weeks ago," he said. "The focus now is to test from any internal locations that aren't part of the cardholder environment into the cardholder environment. To check the walls that we built to keep the PCI environment safe from everywhere else."

Fines, fees, and penalties -- oh, my!

What happens to merchants who don't comply? It's going to cost them some money.

"Often we see fines in the $100,000 to $500,000 range," he said. "But that is just the beginning."

A breach that results in the loss of 10,000 credit card numbers will result in a fine of about $250,000 from the card brand.

Small merchants that previously were able to self-assess may now be required to hire auditors to do their PCI assessments, which will add between $50,000 and $100,000 in expenses.

Then there are the costs of issuing new cards, paying for credit monitoring -- and the loss of customers who've heard about the breach and don't trust you any more.

The biggest change, of course, is the liability shift. If there is a fraudulent purchase -- and the merchant hasn't yet upgraded to the new EMV smartcard readers -- then the merchant is responsible for the losses. This goes into effect in October.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancetrustwavesecuritydata protection

More about BrooksTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts