The end of year deadline for the new PCI DSS v3.0 compliance standards is looming large – and for businesses scrambling to prepare their compliance operations for the coming changes, what has to be done can be a confusing process. So just what are the changes and how will they affect you? And, most importantly, how can you ensure you will remain compliant?
The standard was created by the Payment Card Industry Security Standards Council to increase controls around cardholder data to reduce credit card fraud. Of course, today’s payment environment is more complex than ever, with multiple access points to cardholder data. To address this evolving landscape, changes focus heavily on education, awareness and security as a shared responsibility.
But what does all this mean to you? Under the new legislation, requirements 9-12 of the standard will see a particular increase in scrutiny. These are:
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Many businesses take the view that PCI compliance can be taken care of by working with the right third party hosting provider. For the lucky ones, that’s absolutely true, but ultimate accountability remains with the business and it’s important to find the right partner can help ensure you aren’t left out in the cold when the QSA assessor comes to call.
To make compliance easier it is vital to look at your partners carefully – find out exactly how compliant their service or offering is and where it fits into your overall security posture. Every provider is different – so it’s important to know how security with your managed service provider is different from your hosting provider, and how data is protected in transit and at rest across different networks and hosts. For example, over 30 UK data centres meet two of the 12 requirements (‘hosting providers’ on the Visa Europe list), but remember, even if you hand-off two requirements – usually requirements 9 and 12 – to a ‘hosting provider’ you still have to comply with the other ten PCI DSS requirements. Failure to comply with the full set of standards could put your business on hold and leave you with hefty fines for any breach as well as reputational damage.
For complete PCI standards compliancy, look to work with a ‘managed service provider’ partner within the Visa Merchant classification – this will be particularly important once PCI DSS 3.0 goes live, as Visa will then require all service providers to meet its criteria and be listed as having “managed service provider” status. These partners can help you with the entire PCI process from assessing to remediating your security posture. At The Bunker we have an internal governance team dedicated to advising and consulting with each customer. We assess the level of compliance they are currently at then put a roadmap in place to address any gaps. We also handle all elements of reporting and provide templates to document every necessary update – for instance in detecting and documenting suspicious behaviour – and we can also provide the complete reporting pack required by the QSA.
PCI DSS compliance is about more than just controls and fines – it is a way of reducing business risk and preventing breaches and their consequences. But with fines of up to £100 per card affected – and Visa looking to increase its non-compliance fees – costs resulting from an incident could be enough to cripple a business. Add to this reputational and brand damage and you’re faced with a risk you simply cannot afford to take. This is why it pays to partner with an expert who sees PCI compliancy as a way to achieve operational best practice for security, and can help you get on the front foot.
Still not sure who can manage your full 12 requirements? Simply check the Visa merchant list for “Managed service provider” status.
Related Blog: Can you trust that your business is PCI DSS compliant?