If you accept credit cards for payment in your business, then you are subject to the Payment Card Industry Data Security Standard or PCI-DSS. Up to now, this standard has really been more about compliance, but this year the Payment Card Industry is definitely focusing on real 24/7 365 security. The industry has been hit hard in the last two years by the BackOff POS exploits that have affected major retailers such as Target, Home Depot, and Staples, as well as hundreds of other businesses large and small.
Now is the time to get going with the system upgrades that are going to be required to meet the tougher standards of PCI-DSS 3.0. The new standards are going to be looking at five new areas of operation.
- Employee training and policy standards around passwords, especially the importance of changing defaults passwords on network devices, appliances, and software.
- More penetration testing is likely to be mandated for companies accepting credit cards. Audits that limited their focus to compliance will be delving more deeply into the actual security environment of the business.
- Vendor risk management will also become more important, since several major retail breaches started by breaking the less secure networks of smaller vendors.
- More devices will be covered under the new standard, as it will not matter whether card data is actually stored on the system. Current state of the art in POS malware utilizes a techniques called “memory scraping” where the card data is actually captured off the RAM chips in the POS system before it can be handed off to the operating system and software that would encrypt the data.
- Real security not just compliance will be emphasized, with the expectation that card payment systems will be properly secured at all times, and not just for the annual audit.
This will mean most retailers will really need to partner with a cybersecurity firm that can provide them with the employee training, information security policies and documentation, and vulnerability and penetration testing that the new standards are going to require.
More Info: PCI-DSS 3.0 Standards documentShare