In the past, merchants that used third-party payment gateways were free from compliance for the Payment Card Industry Data Security Standard. Using a separate card processing company, merchants don’t store credit card information on their own servers. For liability purposes, the payment gateway itself is responsible for protecting that information. However, the newest compliance requirements for PCI 3.0 may put online and small business merchants under the spotlight if credit and debit cards are to be processed.
Cracking Down on Fraud
The updates to the PCI standard are developed to reduce the ability of cyber criminals to access personal information and card numbers. In the past, major retailers and even high profile financial institutions have been attacked by hackers looking to score information. The newest version of the Data Security Standard aims to protect that information regardless if it’s stored on a local server or by a third party. It’s the hopes of developers that compliance with the standard will make obtaining information far more difficult and a practical deterrent against future attempts.
In the past, most organizations utilized some form of malware detection software to help reduce the risk to customers. The standards set in PCI 3.0 require methodology-based penetration testing to ensure the safety of data. This means that servers, switches, routers and any other network component needs to be verified as safe from intrusion. This includes software as well as any component between the credit card itself and the server saving the information. Although this requirement will make it more difficult for hackers to gain access to sensitive data, it may put additional strain on the retail market. Upgrades to software and hardware may become necessary for accepting credit cards which some small businesses may not be able to afford.
Isolation of the Network
Network segmentation is one of the focal points in the new compliance for the DSS. If a business uses a point-of-sale system, the penetration test will target the network infrastructure to ensure it is isolated from outer influences. If there is more than one device on the network using IP addressing, it may need to be verified that it is secured from accessibility as well. Any device that is capable of storing data, whether it’s a drive or in active memory, can potential become a security threat.
Online Merchants and Security
Previously, online merchants that used third party payment gateways were free from PCI compliance. As of January 1, 2015, website owners need to test every aspect from the eCommerce solution software to the hosted servers. However, most hosting companies already test servers regularly for intrusions such as those described in the regulations for PCI 3.0. On the other hand, privately hosted servers and eCommerce solutions will have to be tested for compliance to ensure the system is defended from penetration by the business owners themselves.
While your business card has pertinent information about your company printed on its surface, private information about you and your clients may be accessible online. Malware protection shouldn’t be the only protection you have against penetration attacks. Take the time to protect your network for PCI 3.0 compliance and aid in fraud prevention. Your customers will appreciate the extra effort.