PCI DSS Mandates Will Bring "Security Culture" to Retail Industry

(This is the first of a two-part blog on what retailers need to know about pending changes with the Payment Card Industry Data Security Standard.)

For retailers, the Payment Card Industry Data Security Standard (PCI DSS) has essentially translated to one word for nearly a decade: compliance.

PCI DSS sets minimum levels of security for credit card transactions, defining a common set of industry tools and measurements. Merchants receive a list of data protection “to do’s” impacting firewall configurations, password defaults, data encryption/storage methods, anti-virus software deployment, systems tests, and other related activities. When the auditors come around, these businesses seek to demonstrate that they’ve checked every box on the list to achieve compliance.

Unfortunately, compliant doesn’t always equate to secure.

Which is why a significantly revamped version of PCI DSS is in place – one intended to transition retailers from a state of merely checking boxes to one in which they are building a fully realized, security-driven culture. The new standard, PCI DSS version 3.0, holds companies accountable for the entire security structure of their customer cardholder data whether the transactions occur in a store or online.

Several recent, high-profile breaches have brought urgency to the issue: Cyber criminals stole 40 million customer credit card numbers and 70 million addresses, phone numbers and additional items of information from Target late last year. Earlier this year, Michaels Stores announced that it was investigating a breach, as data related to 3 million of its customers’ payment cards was stolen. Most recently, Home Depot confirmed that it was the victim of a data breach impacting its payment data systems.

What’s clear is that sophisticated individual criminals and even syndicates are intensely targeting retailers. In the old days, crooks cased bank building layouts and alarm systems to steal the cash inside the vaults. Today, the “cash” exists within credit cards and the information they contain. What’s more, you don’t have to circumvent an alarm system and deal with armed guards and police to get the data. You only need to access the network. Thanks to ever-proliferating and increasingly intricate forms of social engineering and malware infiltration, the “bad guys” are getting better and better at this.

That’s why the PCI DSS standards are going through an overhaul: compliance simply isn’t enough. PCI DSS 3.0 officially replaced the 2.0 version on Jan. 1, 2014. By Dec. 31, 2014, version 2.0 will be retired.

The changes include these steps, among others:

• The verification of techniques used to segment the cardholder data environment (CDE) from other network areas in support of industry-accepted penetration testing methodologies. In essence, a diagram of the network must be presented to depict the CDE flowing within, to illustrate how this data is isolated and protected.
• The maintenance of a current inventory of hardware and software components that support the CDE.
• Documentation of PCI DSS standards that are managed by vendors, not by the business itself. (Responsibility for cardholder data is considered shared, although the merchant ultimately takes the primary role here.)

Beyond these steps, version 3.0 promises to take retailers to a new level of threat awareness, prevention and remediation. With 2.0, an auditor could declare your business compliant. But it didn’t mean you were secure. With version 3.0, companies can achieve compliance with a year-round emphasis on implementing best practices. Education and awareness will increase with regard to topics such as password management and end-user security training. Routine audits and periodic reviews of the network will pave the way for the continuous monitoring of controls.

In other words, it’s not about just “making sure the house is clean” every time an auditor shows up to poke around your systems. It’s about making sure that your systems are protected 100 percent of the time.

That said, this is a tall order for many companies and therefore one they should not pursue on their own, especially small retailers. Establishing a partnership with the right security services provider can greatly help you get to where you want to be.

In Part two of this blog, we’ll explain how to do so. Meanwhile, if you’d like to speak with us about PCI DSS and what Fusion Connect can do for you, please contact us.