New rules around the security of payment card data are set to take effect with PCI DSS Version 3.0, beginning January 1, 2015. While many changes in the new regulations focus on clarification—providing merchants and payment processors with additional information on expectations and requirements—small businesses will want to pay particular attention to a handful of upcoming revisions.
New in PCI 3.0: Third-party Payment Providers
One important change in the new PCI regulations concerns ecommerce merchants, specifically many of those that redirect customers to a third party to collect payment. This has been a popular strategy for small businesses. Gregory Rosenberg, security engineer at information security firm Trustwave, says that by "not storing, processing or transmitting credit card data," small businesses avoided much of the hassle associated with PCI mandates.
That's changing with PCI 3.0. "Even some of these merchants that don't touch a credit card number anymore will now have their Web environments in scope," Rosenberg says.
Though small businesses may outsource their payment processes to third parties, it doesn't mean they have outsourced their liability, something the new regulations highlight. "Service providers now have to clearly articulate which requirements they address and which ones the merchant must address," Rosenberg says of PCI 3.0. Rather than simply receiving an assurance their third-party partners are compliant, small businesses will need to know how the payment processes are addressed and understand where they may still have compliance obligations.
New in PCI 3.0: Token Payment Changes
Some small businesses avoided a lot of PCI compliance issues because they used tokenization, where you swap payment card data in favor of a surrogate identifier—or "token"—within the merchant's system instead of storing card information directly. Those businesses will soon have more obligations under PCI 3.0.
"They didn't have to worry about being in scope for that component of their business, but the new standards actually state that they do need to be concerned," says Rob Bertke, senior vice president of research and development at Sage Payment Solutions for Sage North America, a payment processing solutions provider.
"If you have the ability to get at the data in any way, shape or form, you're going to fall in scope in a way that you haven't in the past," says Bertke. The ready availability of tokenization decryption methods and devices within a merchant's systems is just one factor that may put more small businesses under PCI 3.0 oversight.
New in PCI 3.0: Penetration Testing
Penetration testing requirements expand in the new regulations, and small business owners should become familiar with changes, since the affects will likely reach far and wide. Many small businesses already conduct some level of automated scans, typically with the intention of looking for malware and other threats. Penetration testing goes further; it's a manual test of a network's defenses and potential vulnerabilities.
"A human being actually trys to break into your system to see what vulnerabilities exist, and then [he or she] takes it a step further and tries to exploit those vulnerabilities," explains Tim Thomas, senior director of security product at ControlScan, a PCI compliance and security solutions provider. Penetration testing is typically more expensive than automated scanning solutions, but these experts will be able to identify weaknesses, such as security patches, that haven't been installed or potential gaps where different systems meet.
New in PCI 3.0: Network Segmentation
If a small business has a point-of-sale (POS) system, Thomas says there's another aspect to the penetration testing mandate in PCI 3.0 that may apply. The self-assessment questionnaire (SAQ) validation tool, and its components, will be the best indicator of whether or not a business is affected by the change.
Under PCI 3.0, "the penetration test has a specific mission for merchants who qualify for an SAQ C—and that's only merchants that have point-of-sale systems. It checks your network segmentation, validates that the network segmentation method you use is working, and that your card data environment is truly isolated," Thomas explains.
If your POS system isn't the only device on your network (maybe you have an IP-based security camera or a building control system that's also connected), then PCI 3.0 sets out clear requirements for segmentation and penetration testing.
Find Out More About PCI 3.0
Fortunately for SMBs, there's a good amount of documentation available on the changes coming in PCI 3.0 at the PCI Security Standards Council website. With the first implementation date just around the corner, it's time to learn how the new regulations will affect your business and when each change applies to you.
Bertke says that even if an small business owner believes that "they have not been in scope for things like their ecommerce software or their CRM solution that might actually have stored payment detail in it," they should use the SAQ tool to evaluate their systems under the 3.0 specifications.
"Go ahead and do it now, to find out if you will have any exposure when the time comes," Bertke advises.
Julie Knudson is a freelance writer whose articles have appeared in technology magazines including BizTech, Processor, and For The Record. She has covered technology issues for publications in other industries, from foodservice to insurance, and she also writes a recurring column in Integrated Systems Contractor magazine.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|