Heads up! PCI DSS v3.0 comes into force June 30th
If you take payments by card, you'll be aware of the Payment Card Industry Data Security Standards (and if not, you should be). PCI DSS 3.0 came into effect at the beginning of the year; some elements of the standard were designated “best practices” until they would become mandatory on June 30. These requirements will affect both merchants, and providers of PCI compliance solutions (that's us).
Don Brooks, Senior Security Engineer at Trustwave, says there are two ways IT solutions providers can attest. Some VARs and systems integrators could be eligible to self-assess; if you do not, for example, facilitate transactions or if your customer processes fewer than 300,000 transactions per year. Many solutions providers, however, are considered Level 1 service providers and will have to be assessed for compliance with PCI DSS by a qualified security assessor (QSA). Brooks says, for IT solutions providers who have not gone through an assessment by a QSA before, it can take about three months. He says you only have to attest to the part of the merchant’s process you are involved with, and you only have to satisfy the merchant that you are in compliance - no other entity will seek this information. It is the merchant that is ultimately responsible to show its management of third parties that interact with the payment environment are compliant. Brooks comments,“PCI is happy to let them outsource, but they can never outsource the liability. It still falls on the merchant.”
Another June 30 requirement is that all vendors - including IT solutions providers - with remote access must have separate credentials for each of their merchant clients. Brooks says situations have occurred in which a vendor that used one set of login credentials for all of its clients was hacked and, as a result, all of its clients experienced a security breach.
PCI DSS 3.0 requires IT network penetration testing - evaluating the security of the system by attempting to exploit vulnerabilities or flaws, improper configurations, or user errors. Merchants are also required to physically protect, inventory, monitor, and inspect all devices used to capture payment data.
As a trusted provider of award-winning PCI compliance solutions, we're ready to assist you in complying with these latest regulations. For further information, check out our PCI-DSS pages, and don't hesitate to contact us.
Share this on social media:
We support Fusion People with their IT and telecommunications. Watch how they made an annual saving of 40%.
Contact us today for help or advice on your IT & telecoms and receive a FREE Costa!
The player supports TAB to change the controls. Update Required<br/>To play the media you will need to either update your browser to a recent version or update your <a href='http://get.adobe.com/flashplayer/' target='_blank'>Flash plugin</a>.