What does PCI DSS 3.0 mean for merchants in 2015?

In 2015, the third revision of the PCI Data Security Standards (PCI DSS) will go into effect on Jan. 1, 2015. As Network World noted, many retailers are still unsure of what these new changes mean and how it will effect them, which could result in major compliance issues as merchants try to adjust.

Fortunately, the changes are not grandiose, as PCI DSS 3.0 mainly involves simple clarifications of previously instated requirements. The changes are designed to help tighten controls surrounding payment processes and will enable merchants to reduce exposure to credit card fraud, bolstering the protection of sensitive customer information on the way.

Redefining scope
One of the biggest clarifications regards scope definition, which Network World describes as being “one of the thorniest issues within PCI compliance.” In the past, retailers have been able to claim compliance by simply running vulnerability scans on a limited number of credit and debit card data systems. To be compliant under PCI DSS 3.0, however, they will need to expand the scope of the scans.

In theory, this should help merchants ensure their limited scope scans do not wind up overlooking critical servers and workstations that utilize the same network connections of credit card processing systems. Criminals are relentless, and their ingenuity has led to them targeting outside servers that retailers have traditionally left vulnerable because they did not fall under compliance requirements. Hackers do not need to target the highly fortified credit card processing systems if they can get the job done by breaching less fortified systems.

“That means attackers just need to find the easiest way to breach the network perimeter, which helps explain why we see so many phishing attacks that trick a user into running malware that opens a backdoor into their device,” the news source added. “The attacker can then use the compromised device to launch attacks on the credit card processing systems from behind the secured perimeter.”

Under the new 3.0 version requirement, merchants will be encouraged to segment networks via firewalls as a means to isolate potential breaches. This also includes third-party companies, which fraudsters can use to gain backdoor entry into sensitive servers. This is actually how criminals managed to infiltrate Target’s database, as it is widely speculated they found a security gap in the systems of an HVAC contractor that did work with Target.

PCI 3.0 comes amidst industry criticism
It is no secret that several retailers have fallen victim to data breaches in the past 12 months. Target was the notable example, with an attack that exposed millions of customers’ credit and debit card numbers and also cost the company significant revenue losses during the peak holiday season. More recently, Home Depot was exposed for a similar breach, which illustrates how big the problem is.

With this in mind, many industry analysts have called into question the effectiveness of PCI DSS compliance. Even companies that are compliant are still running into issues with data breaches.

“How much evidence do we need? PCI is not stopping the big breaches,” Gartner analyst Avivah Litan said in a Credit Union Times interview. “It’s unrealistic to expect PCI to solve this problem.”

PCI DSS compliance is a good place to start but it should not be the only measure retailers are implementing. They should actively be taking a look at the point-of-sale solutions they are utilizing to ensure they leverage the latest card - security technology such as encryption and tokenization to maximize the safety of their customers and capitalize on future sales opportunities.