News Feature | January 6, 2015

What VARs Need To Know About PCI DSS 3.0

Christine Kern

By Christine Kern, contributing writer

Retail IT News For VARs —January 19, 2014

The third revision of the PCI Data Security Standards (PCI DSS 3.0) became mandatory on Jan. 1, 2015. These changes not only affect merchants, but also retail VARs and other IT solutions providers.

Greg Grant, VP of managed security services at PhoenixSentry, addressed “The Future of Electronic Payments: Security and PCI Compliance” at BlueStar’s VARTECH 2014 conference in New Orleans.

As Business Solutions Magazine reports, Grant explained that the changes include the definition of a services provider as any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” Grant explains, “This includes companies that provide services that control or could impact the security of cardholder data.” PCI DSS 3.0 requires companies to name their services providers when filling out their self-assessment questionnaire (SAQ). It also includes a transfer of risk and exposure to all companies that implement, service, or maintain point of sale (POS) systems, IT systems, and/or ancillary IP connected equipment/services.

Grant recommends that  services providers should look for ways to ensure that risk and exposure is limited, and he also suggests a “solutions approach” to providing network security and PCI compliance, focusing on protecting sensitive data systems — not just payment card data. Solutions can include managed services that provide continuous network monitoring, cloud-based software, certification to ensure compliance, breach protection/insurance, and features including Wi-Fi, 3G/4G backup, and content filtering.

A blog post from Datacap Systems points out changes for retailers in PCI DSS 3.0 are not sweeping, but mainly focus on clarifying previously stated requirements. One of the biggest clarifications regards scope definition. Under the PCI DSS 3.0, retailers must expand the scope of scans in order to be compliant — running vulnerability scans on a limited number of credit and debit card data systems will no longer be sufficient.

The widened scope insures that merchants do not overlook vulnerabilities. As Network World explains, “It’s not necessary for attackers to go directly after the systems that contain credit card data, especially because most companies have a ‘flat network’ where only the Internet connection is guarded by a firewall and every server has the ability to communicate without going through a firewall or other filter.”

Under the 3.0 version, merchants will be encouraged to segment networks via firewalls as a means to isolate potential breaches. This also includes third-party companies, which fraudsters can use to gain backdoor entry into sensitive servers.