Last year, the PCI DSS mandate made three new changes to increase security measures against fraud, which have already begun to effect merchants and business owners. Any merchant who accepts credit card payments must comply with the security guidelines of the PCI-DSS 3.1 mandate. The standards set within PCI are in place to help protect cardholder data and sensitive transaction information, in addition to eliminating data security violations. If a merchant does not become PCI compliant and suffer a data breach, they can face expensive liability costs and fines.
It is imperative for business owners and merchants to understand these three changes to the PCI 3.1mandate:
1. Required Network Segmentation
With PCI DSS 2.0, businesses were forced to divide payment traffic from other Internet traffic. Still, many businesses have not correctly segmented their networks, causing PCI compliance rates to rise as well as breaches.
In order to mandate appropriate network segmentation, PCI DSS 3.1 has changed regulations and is now requiring merchants to confirm in a Self-Assessment Questionnaire (SAQ) precisely how they are segmenting their payment traffic. With this in place, many restaurant owners are enforcing this policy through a Cardholder Data Environment (CDE).
On the other hand, if a merchant verifies they were able to segment card data via formation of a CDE, they are on the hook to take an annual penetration test. These tests are costly, averaging at $5,000 per location.
Instead, merchants can elect to take a self-assessment test themselves. In order to process this test, software must be installed on the network so that the results can be interpreted and reported to the PCI Council. Typically, third parties will charge around $5,000 to do this.
2. The Addition of New Technical Questions
The updated 3.1 mandate of the PCI DSS Self-Assessment Questionnaire includes 59 new questions that are primarily security and network based. Answering these questions requires an advanced level of technical knowledge, knowing network security and the process of how card data is segmented and separate from the rest of Internet traffic. It’s vital for merchants to understand these questions and know how to answer them based on their network, as they are the ones liable for cardholder compliance and security.
3. Revised Definition Of "Service Provider"
Perhaps the most significant alteration to the PCI 3.1 mandate is the explanation of what a “service provider” stands for. This expanded definition incorporates any business that offers a service that could affect cardholder data security - instead of just businesses that transmit, store, and process cardholder data for the merchant.
This revised definition includes anyone who sets-up, changes, or configures the network for a merchant can also be responsible in the instance of a credit/debit card information breach. Such examples include an employee or consultant from IT who was configuring the network or the security camera company. However, the majority of these vendors are not skilled in accurately setting up a secure, segmented, and PCI-compliant network, nor do they have the proficiency in safeguarding the security and compliance of their clients’ system. Merchants must ensure they are PCI compliant at all times regardless of who is assisting with their network or business operations.
The newly updated PCI DSS 3.1 mandate offers several updates and changes for merchants who accept credit card transactions. Now, network segmentation is enforced for payment traffic, 59 technical questions have been added, and the definition of what a “service provider” stands for has been revised. It is fundamental that these merchants become acquainted and familiar with these terms and conditions to help further protect their businesses from potential instances of fraud or breaches and to stay up-to-date with the most relevant security standards within the payments industry.