Protecting Cardholder Data


Version 3.0 of the PCI Data Security Standard aims to make payment card security an everyday business practice.

Target. Home Depot. Michaels. These are just three of the major retailers that fell victim to cyber crime in 2014, making it the Year of the Data Breach. Hundreds of millions of credit card numbers and other personal records were stolen from companies of all sizes during the year. According to Chester Wisniewski, senior security analyst at Sophos, as many as six in 10 American consumers have been affected.

Preventing 2015 from being a repeat (or worse) requires a new approach to credit card security. That’s the aim of version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS), released by the PCI Security Standards Council in late 2013. The central message conveyed by the new standard is that payment security must be an everyday business process, a shared responsibility across the entire organization to protect cardholder data.

In many cases, organizations have been putting compliance on the back burner until it needs to be assessed and validated. According to a Tripwire survey, only 41 percent of retail establishments are taking steps to pinpoint security vulnerabilities.

Moving forward, the PCI Security Standards Council expects payment security to become a business-as-usual discipline. As part of this shift in approach, organizations will be required to self-validate their own processes, services and technology to identify and correct compliance issues.

The effective date of PCI 3.0 was January 1, 2014, but PCI 2.0 remained active through 2014 to allow organizations sufficient time to transition to the new standard. Most PCI 3.0 requirements go into effect January 1, 2015, although some of the new directives will remain “best practices” until July.

Ensuring Compliance

The PCI DSS, mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with key data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption and regular network scans. Companies could face penalties of up to $500,000 for breaching customer credit card information.

Payment applications that are used to store, process and transmit cardholder data are governed by the PA-DSS standard, which is derived from the PCI DSS Requirements and Security Assessment Procedures. Use of a PA-DSS-compliant application by itself does not make an entity PCI DSS-compliant; that application must be implemented into a PCI DSS-compliant environment. However, payment applications should facilitate PCI DSS compliance.

PCI 3.0 represents a significant update of the standard. While version 2.0 contained only two different requirements compared to version 1.2.1, version 3.0 has 20 different requirements compared to version 2.0.

Most of the changes involve clarification of existing requirements as opposed to new ones, but PCI 3.0 also includes best practices for ensuring PCI-DSS compliance on a regular basis. These best practices include ongoing monitoring of security software and protocols to make sure they’re operating properly, and implementing processes to quickly detect and address security control failures.

An ongoing concern has been whether cardholder data is adequately segmented from other networks. In light of this, merchants must conduct penetration tests and vulnerability assessments according to an industry-accepted methodology to determine if a security breach is possible. Those organizations that don’t have in-house personnel with the expertise to conduct such a test will need to hire a service provider who adheres to a formalized methodology that validates segmentation.

Maintaining Control

Merchants must maintain an inventory of system components that lists all hardware and software used in the cardholder data environment and describes what each piece of technology does and for what purpose. Organizations that have many locations and those that utilize virtualization may struggle to manage the inventory of these ever-changing system components.

Point-of-Sale (PoS) devices that capture cardholder data must be inventoried and periodically inspected to ensure they haven’t been altered or replaced by different devices. Because card skimming is a prevalent problem, employees must be able to identify signs of tampering or suspicious behavior, which is likely to require additional security training for anyone who works at the point of sale. Physical access to PoS by employees must be controlled and authorized by the merchant, and if an employee leaves, access must be revoked immediately.

In addition to using unique authentication credentials for each customer environment, PCI 3.0 requires service providers to provide comprehensive written details of compliance-related services, roles and responsibilities. Documentation should clarify which PCI compliance requirements are the responsibility of the merchant and which are the responsibility of the vendor or service provider. Agreeing to the scope of each party’s responsibilities in writing will add accountability and avoid confusion during compliance assessments.

Previously, anti-malware systems needed to work, remain current and produce report logs. Under PCI 3.0, merchants are required to “identify and evaluate evolving malware threats” and have a process in place that alerts the organization of new malware. The anti-malware system must also be configured to prevent users from disabling or altering the system without authorization from management.

No merchant wants to fall victim to cyber crime — in addition to financial costs, a data breach can irreparably damage a business’ reputation. While PCI 3.0 won’t prevent a data breach, organizations can reduce security risks by adhering to its requirements.