Bits & Bytes
Compliance
Benjamin Franklin said, “By failing to prepare,
you are preparing to fail.” While he likely hadn’t
anticipated the issue of credit card data security, Franklin’s words can be aptly applied to the
recurring — and looming — changes surrounding
PCI compliance.
Last fall, the PCI Security Standards Council (a
council formed by the payment card brands with
the goal of managing the ongoing evolution of the
Payment Card Industry Data Security Standard)
released the latest data security standard (DSS),
version 3.0. To help fuel retailers prepare for what
will soon be required as a result, a Conexxus data security working group reviewed the changes with the
most significant impacts to convenience retailers.
When Is It Effective?
PCI DSS version 3.0 launched on January 1, 2014; it
becomes mandatory on January 1, 2015. Some new
requirements, noted as “phased requirements,” have
a July 1, 2015, implementation date.
Keep these dates in mind when preparing for your
next assessment. If you plan to use DSS version 2.0,
allow yourself enough time to complete the assessment by December 31, 2014. No version 2.0 assessments will be accepted after this date.
What’s New?
Some potentially significant version 3.0 changes
are required by January 1, 2015:
n Implementing PCI into business-as-usual activities. PCI should be part of ongoing daily operations
and not just once a year when the annual assessment is completed. It’s about keeping data security
top of mind, day in and day out.
n Requirement 2.4: Maintain an inventory of
system components that are in scope for PCI
DSS. Compile a list of hardware and software
components, including a functional description of
each, and keep it current. The list, which includes
such devices as the point-of-sale system, indoor PIN
pads and dispenser card readers, will help define
the scope of the PCI environment for implementing
PCI DSS controls.
These changes are required by July 1, 2015:
n Requirement 9.9: Protect devices that capture
payment card data from tampering and substitution. This change requires periodic inspection
of card reader devices for tampering or substitution. To do this, take pictures of the devices
and use them during inspections to see whether
they’ve been altered, or mark the devices with a
special label or secure marker pen, such as a UV
light marker.
Also, train staff to be aware of suspicious behavior of visitors to the site, such as attempts by
unauthorized people to unplug or open devices.
Staff should immediately report to managers if
they observe acts of others that look suspicious,
or think a PIN pad or another device has been
tampered with or substituted.
n Requirement 11.3: Implement a methodology
for penetration testing (to check whether outsiders can get into your network) based on indus-try-accepted penetration testing approaches. This
also requires correcting weaknesses found during
penetration testing that could allow a hacker to get
into the system, and repeating testing to validate
corrections. Penetration testing must verify that
network segmentation methods are operational
and effective when segmentation is used to isolate
the card data environment from other networks.
PCI DSS version 3.0 introduces many more
changes, though we cannot cover all of them in this
column. To see additional analysis by the Conexxus Data Security Working Group, visit conexxus.
org and click on “Resources” at the top of the page.
You’ll see PCI DSS Ver. 3.0 Noteworthy Changes for
Petro Retailer under the Public Resources section.
Nancy Tosto
Payment Systems Manager
BP Products North America
Conexxus Data Security Committee Member