Do you have an ecommerce business? It does not matter what item you sell. You are most probably subject to Payment Card Industry or PCI compliance especially if it has to do with online payments. PCI compliance is indeed vital, but unfortunately, it can be overwhelming at least during the early stages. But considering how the new amendments are going to be effective soon, it is best that those running businesses understood them.
Though there is much to learn about the changes, but for the purpose of quick comprehension, they can be divided into 5 key PCI amendments that you should take a note of. They become effective on 1 January 2015. Nevertheless, some of them will be classified as best practices until June 2015. Being ready to face these things is undoubtedly wise.
Meaning of PCI Compliance
Payment Card Industry Data Security Standards, abbreviated as PCI DSS refer to security standards that businesses have to comply with if they are managing cardholders’ details for POS, ATM, debit, e-purse, credit and prepaid cards. If you are managing online payments, then you should be aware of them. And in case you already do, just make sure that you keep track of all the changes.
Current PCI DSS Status
Currently, the PCI DSS is of Version Two. The plan is to shift from this version to PCI DSS and PA DSS 3.0 or Version 3. Current businesses that are PCI DSS 2.0 compliant have time up to 1 January, 2015 to implement the relevant changes. It is the perfect time for a change, New Year, a new beginning.
To make things simple, there are 5 key PCI compliance amendments to be taken note of. Since it is always good to know everything, try to read up regarding the rest of the amendments. This will ensure you are not left behind in any way. Here are the five key PCI compliance amendments:
1. Pen Test Method Standardization
Right now, pen testing is compulsory for PCI if card information is being processed, transferred or kept. But with the amendment, it will also be necessary to have an established process and method for doing so, as agreed with the pen testing company. Documenting and implementing this method not to mention satisfactorily assessing the control related to cardholder detail securing is vital too.
During the early stage, doing these things might be hard for many businesses especially the smaller ones. They may not have their own staff to do them. Thus they may to hire outsiders. And have to be careful of whom they hire.
2. System Component Inventory
This has to do with businesses keeping stock of practically everything, ranging from hardware (network equipment and virtual hosts) to software (commercial, custom and common applications). Every single item needs to be recorded with description of every use or function.
Since there is no automation, maintaining an inventory might be difficult for IT personnel. They may have to use up much time to improve and polish ways for handling and establishing the entire process. But then when everything is done, it would be a lot easier for finding what you want.
3. Dealings with Vendors
Clear documentation about whether it is the organization or vendor that handles a specific PCI DSS requirement is vital. For instance, if a business utilises data centre hosted by a vendor, the centre’s physical retrieval restrictions is handled by the business. This also covers the controls needed for handling the business. Companies should stress on these issues prior to selecting any service provider.
Since there is analysis of precisely how every vendor is utilised, this requisite may seem difficult. But in reality, retailers should know precisely what the subcontractor does, where control responsibility lies and how to generate documents explaining such things.
4. Software for Anti-malware
Another important thing to be addressed by businesses is in relation to software for anti-malware. Just because a specific system hasn’t been attacked before, this doesn’t mean it is malware fool proof. So evaluating, identifying and using the right anti-malware software is important.
Even if you utilise a system that doesn’t have a history of being attacked by malware, it is still necessary to have a process in place that ensures the system’s safety. There should be some kind of immediate warning system with red alert alarm bells or such in the event of a malware attack.
5. Point of Sale and Physical Retrieval
This particular requirement has to do with the retailer’s on-site personnel’s physical access. The access should be based on a specific person’s job role. It should be rescinded in the event of the staff’s resignation or termination. According to requirement 9.9, retailers should “protect devices that capture payment card data …from tampering and substitution”.
But this requisite may seem complicated for many retailers to follow. Testing methods for this specific requisite include verification of procedures for “maintaining a list of devices”. This requisite might seem like a new concept for various retail location managers or site administrators. It may need some amount of preparation, employee training and socialisation to ensure full implementation.
Since the effective date is 1 January 2015, there is ample time to establish or implement the necessary PCI amendments. After all, the changes are meant to create a more customer focused online payment system for your website or ecommerce, which may in turn gain new customers.
If you would like to find out more contact us today and see how we can help.