3 changes to PCI mandate retailers need to understand
By Greg Grant, Phoenix Managed Networks
By now, all establishments accepting credit and debit cards should be aware of the new changes to the PCI DSS mandate, made effective on Jan. 1, 2015. Of particular note are three key areas, however, as they have already had dramatic impacts on a number of business owners and vendors. As breaches continue to rise, the consequences of poor security measures are on the rise as well. Understanding these key changes are critical to any business owner.
The SAQ adds 59 technical questions
The 3.1 version of the PCI DSS Self-Assessment Questionnaire for Internet-connected businesses includes 59 additional questions, most of which are network and security related. Answering these questions requires an intimate technical knowledge of exactly how the network is secured and, more importantly, how card data is being segmented and isolated from all other Internet traffic. It’s important for restaurateurs to understand how to answer the questions specific to their network security, since ultimately they are accountable for cardholder security and compliance and will be held liable for stolen information.
Service provider definition expanded
One of the biggest changes in PCI DSS 3.1 is the definition of what constitutes a “service provider.” The new definition includes any company that provides a service that could control or impact the security of cardholder data; instead of only the companies that process, store and transmit cardholder data on behalf of a merchant.
Under the new definition, anybody who sets-up, configures or changes a merchant’s business network, from the IT guy to the payment systems vendor to the security camera company or any other entity that touches the network, could be held equally liable in the event of a data breach that results in the loss of debit or credit information.
Unfortunately, most of these vendors don’t have the expertise to properly set up a segmented, secure and PCI-compliant network and even fewer have the capability to ensure their clients’ systems remain secure and PCI compliant. Many vendors won’t want to assume liability for a breach.
Enforced network segmentation
PCI DSS 2.0 required companies to segment payment traffic from all other Internet traffic. However, many companies have not properly segmented their networks (even though they claim to have done so on their SAQ’s), and as a result PCI compliance rates are up but so are breaches!
To enforce proper network segmentation, PCI DSS 3.1 now requires merchants to attest in the SAQ exactly how they are segmenting payment traffic; the vast majority of restaurateurs doing so by establishing a Cardholder Data Environment.
The gotcha is that when a merchant attests that they segment card data through establishment of a CDE, they are subject to an annual penetration test. These tests cost an average of $5,000 per location. A business with three restaurants could pay about $15,000 a year.
Alternatively, merchants can opt to do a self-assessment penetration test. This requires installing software on the network to run the test, interpreting the results and reporting them to the PCI Council, which is not easy. That’s why third-parties charge $5,000, or more, each.
What’s a business owner to do?
Fortunately, network security and PCI compliance can be outsourced to a PCI Level 1-Certified Service Provider that specializes in securing small and medium-sized business networks. These managed service companies reconfigure existing networks to be secure and PCI compliant by sending all traffic through a pre-configured security appliance installed on the network. It’s the service provider’s responsibility to lock down cardholder data, monitor and manage the network, and assume liability should a breach occur. Because these services are built from the ground up around PCI DSS requirements and data security best practices, the network is by default PCI compliant. And because they automate network monitoring and identify and remove threats in real-time, they are affordable—as low as $65 per month.
PCI DSS 3.1 presents new compliance challenges to any business that handles transactions digitally, but no more than to restaurateurs who typically lack the resources to hire network security experts to ensure their systems are secure and PCI compliant on a continual basis. The availability of affordable managed services to do the heavy lifting of PCI compliance has the added benefit of giving business owners the peace of mind that comes with round-the-clock security.
Gregory Grant is the senior director of sales and business development at Phoenix Managed Networks, the provider of PhoeniXSentry, a cloud-based network security service.