Webshops responsible for security payments
Last November, the PCI Security Council introduced the third version of the Payment Card Industry Data Security Standard (PCI DSS 3.0). For the first time, the edition offers clarity about the responsibility of companies processing, storing, or transmitting data of credit card holders. Especially for webshops that ‘redirect’ this can have a big impact.
The PCI Security Council was established by Visa, MasterCard, American Express, Discover, and JCB in 2006 to increase the security of internet payments and to prevent fraud. The fact that this topic is still important, became painfully obvious recently. The Irish marketing company Loyaltybuild was victim of a cyber-attack in which the credit card data of at least 376,000 customers were stolen. Besides the fact that this damaged the reputation of Loyaltybuild significantly and created massive turmoil among cardholders, this could also mean considerable financial loss to the credit card companies. After all, they are held responsible for payments made with stolen data.
It is, therefore, understandable that the credit card companies are increasingly stringent towards everyone that has access to areas where cardholder data is processed, stored or transmitted. These days, there are more and more access points to this data, such as via e-commerce, mobile platforms and cloud computing. With PCI DSS the credit card companies set the conditions – including mandatory certification and annual audits – to organizations that come into contact with data. PCI DSS can be summarized in six objectives, which again can be divided into twelve specific requirements.
Build and manage a secure network
- Install and maintain a firewall to protect cardholders’ data
- Don’t use default passwords and other security perimeters
Protect cardholders’ data
- Protect stored cardholders’ data
- Encrypt the transfer of cardholders’ data over open public networks
Take care of a vulnerability management program
- Use up-to-date antivirus software on all systems that are exposed to malware
- Develop and maintain secure systems and applications
Implement good access control
- Limit access to cardholders’ data to ‘need to know’
- Appoint an unique ID to everyone who has access to a computer
- Limit physical access to cardholders’ data
Frequently monitor and test networks
- Follow and monitor all access to network sources and cardholders’ data
- Frequently test security systems and processes
Take care of information security policy
- Take care of an information security policy
PCI DSS 3.0
After three years of preparation version 3.0 of PCI DSS was introduced in November 2013. Unlike previous times, the changes in PCI DSS 3.0 were first presented to experts in the industry and are thus fortunately more applicable in practice. As Participating Organization in the PCI Security Council, Basefarm also participated in this exercise.
The main objective of PCI DSS 3.0 is to help organizations take a proactive attitude towards protecting card data. Working with PCI DSS must become ‘business as usual’. Organizations should not just be motivated by the need to achieve their certification every year, but must act based upon their responsibility for security. The 98 amendments that version 3.0 entails contain many updates and increased rules to protect against the latest online threats, such as malware, viruses, and WiFi access.
But more important than rules and updates is the fact that PCI DSS version 3.0 finally provides clarity about the interpretation of PCI DSS. Especially for merchants, it creates long awaited clarity about the scope of their responsibilities, which may have major consequences. Online stores that send their customers to the vicinity of a third party to make the payment (redirect), now have to explicitly express that they meet the requirements of PCI DSS through a Self-Assessment. Securing cardholders’ data will become a shared responsibility between the merchant, payment processor and hosting company.
Although PCI DSS 3.0 will be applied as of January 1, 2014, companies involved will have the opportunity to adjust their systems accordingly until December 31, 2014. Now that the scope of the responsibility is clear for the first time, the major credit card companies that are united in the PCI Security Council will enforce it more strictly. The days when companies could hide behind the ambiguous guidelines are definitely over. We also anticipate that many online stores that still perceive security as ‘add-on’ will have a lot of catching up to do. Their primary questions will often be dictated by the fear of fines and possible loss of revenue. But we hope they continue to look one step further and create a safe handling of cardholder data as part of their operation. No one wants to be in a similar situation as loyaltybuild.