PCI: 5 New Security RequirementsNew Task Force Created to Assist Smaller Merchants
See Also: DevOps - Security's Big Opportunity
That's because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses, says Don Brooks, senior security engineer at security and forensics firm Trustwave.
The best practices, which were included when PCI-DSS version 3.0 was released in November 2013, state:
- Merchants should secure authentication and online session management, to help prevent the theft of online credentials;
- Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
- Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
- Merchants should regularly inspect POS devices to ensure they have not been "swapped" or tampered with to skim or collect card details;
- Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.
All Businesses at Increasing Risk
The PCI Security Standards Council says merchants of all sizes are increasingly at risk, and that these requirements reflect areas all businesses should address.
"More advanced criminal attacks may be focused on wherever larger aggregation of data may be collected," says Troy Leach, chief technology officer of the PCI SSC.
But Brooks says attack trends suggest that smaller merchants will continue to face more breaches than larger organizations. And he says the council's launching of a new task force aimed at helping smaller merchants shore up their security and PCI compliance practices is likely linked to these new requirements taking effect in June.
The New Taskforce
The new Small Merchant Taskforce aims to simplify PCI compliance for smaller merchants by helping them identify the more basic security flaws they should be addressing, Leach says.
"It's important to note that so many of these breaches are preventable with simple controls," he says. "What the task force hopes to accomplish is educate merchants on some basic security controls that are as common sense as locking the door at night, but for the POS environment."
Those suggestions may include such steps as using secure, lab-tested products and having installations managed by an expert aware of how to appropriately configure POS devices, he adds.
"We understand that small merchants often operate on small profit margins and don't always have access to the latest and greatest technology, or understand why they should consider updating legacy equipment," Leach says. "We hope to explain these threats and how they could opt to minimize the risks."
The task force, which is being co-chaired by Barclaycard, an acquiring bank, and the National Restaurant Association, a merchant group, was announced May 19.
"We know that small merchants are a vulnerable sector to cyber-attack," Leach says. "They face unique challenges, such as having limited to no technical expertise on staff to help answer questions related to protecting cardholder data. This effort helps educate those small merchants with common-sense instructions related to how to better improve their security posture and what they can do without having to know any technical jargon."
David Matthews, general counsel for the National Restaurant Association, says the task force is working to simplify PCI compliance for smaller merchants.
"The impetus for the Small Merchant Taskforce comes from a desire on the part of the PCI Council to focus on simplifying data security for small merchants who lack technology expertise and resources," Matthews says. "The council believes small merchants are an increasing target of bad actors, though we believe the majority of cards compromised in breaches comes from larger breaches."
But Leach says the timing of the council's creation of the Small Merchant Taskforce and the solidification of the five new requirements are not related.
"Certain new requirements in DSS 3.0 were initially instated as best practices until June 30, 2015, at which time they become requirements," Leach says. "This was done by design, to allow organizations additional time to properly implement these requirements. The Small Merchant Taskforce aims to help organizations with payment security; but the announcement of the taskforce with the 3.0 requirements is purely coincidental."
Ensuring PCI Compliance?
Brooks says the formation of the taskforce should help smaller merchants better understand not just the cyber-risks they face, but also the fines they could pay for not being PCI compliant at the time of an audit or post-breach.
Most PCI-breach-related fines from the card brands range from $100,000 to $500,000, Brooks says. Those fines would be in addition to any fraud-related fees merchants could be required to pay in the event of a card breach after the EMV liability shift date hits in October, he adds (see October Fraud Surprise for Retailers?.
"Smaller businesses, particularly those that outsource some or all of their IT, security or payment processing, should partner with a Qualified Security Assessor, as this allows them to leverage their expertise and experience for security and compliance," Brooks says.
But Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says smaller merchants will increasingly be targeted by sophisticated attacks against which they can't possible defend themselves. And while the PCI Council's efforts to improve communications and requirements that will help these smaller merchants shore up their systems are commendable, the industry is fighting a losing battle, he contends.
"Until we remove the responsibility of cybersecurity from the smaller merchants, the level of controls and expertise that are needed to secure card information and other PII [personally identifiable information] will escape us," Pierson says. "The industry needs to concentrate on removing the card data and work on tokenization and other substitutes so the organizations with access to this data are only the largest/most sophisticated organizations with the best control sets. To require all merchants maintain cybersecurity controls with inadequate funding and resources is no longer tenable."