PCI June 30 compliance deadline looms; big fines possible for retailers

While many retailers are under the gun for the EMV liability shift deadline in October, there's an earlier cutoff on June 30 that may be just as important to meet: five mandatory changes in compliance for the Payment Card Industry Data Security Standard version 3.0.

Retailers who don't meet the compliance requirements and experience a data breach may be subject to heavy fines from $100,000 to $500,000 or more, according to information security company Trustwave.

PCI DSS version 3.0 reflects the latest mandatory compliance requirements driven by the many security breaches in recent history. PCI DSS began as five separate programs inaugurated by the various credit card networks and were combined into the Payment Card Industry Security Standards Council in 2004. There have been various changes since then.

The latest payment card industry data security standard, a set of requirements designed to help businesses better secure their customers' payment card information, took effect Jan. 1, with some of the changes becoming mandatory at the end of June.

"The PCI Security Standards Council continues to move aggressively in response to the methods and tactics of card data thieves in terms of the requirements, but effectiveness depends on merchants implementing and maintaining a PCI compliance program," Don Brooks, senior security engineer at Trustwave, told FierceRetailIT. While the introduction of fraud prevention technologies such as EMV and innovations such as P2PE and tokenization continue to mature, "overall there is still no 'silver bullet' for PCI compliance, but retailers have many more tools at their disposal to manage their risk and compliance," he said.

While the new changes should help businesses better protect their valuable information, it's important to keep in mind that the PCI DSS is a baseline for security. "We often see businesses check the compliance box and believe that's enough," Brooks said. "In today's business environment where the threat landscape is more complex than ever before, businesses need to flip the compliance model on its head—making sure their data is secure first, so that they inherently become compliant. They can achieve that goal by identifying where their valuable data lives and moves, implementing security controls to protect that data and continuously scanning and testing their assets to identify and remediate security vulnerabilities."

After June 30 any business that stores, processes or transmits payment card data will need to make the following changes, he said:

Businesses must verify that broken authentication and session management are addressed. This will help prevent unauthorized individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.

Third-party service providers with remote access to customer premises must use a unique authentication credential for each customer. Providers must also go through additional testing to examine authentication policies and procedures and interview personnel to verify that different authentications are used for access to each customer.

Third-party service providers must acknowledge in writing to customers that they are responsible for the security of cardholder data the provider possesses, stores, processes or transmits on the behalf of the customer, or to the extent that they could impact the security of the customer's cardholder data.

Businesses must add protection for in-store point-of-sale devices. Businesses must maintain a list of POS devices and periodically inspect them for tampering or substitution. They must also train personnel to be aware of suspicious behavior and to report tampering or substitution of the devices.

Businesses must implement a new penetration testing methodology based on industry-accepted penetration testing approaches. The methodology maintains that penetration testing must cover the entire card data environment perimeter and critical systems, as well as validate any segmentation and scope-reduction controls. It also specifies what application-layer and network-layer tests should include. Businesses must also report any threat vulnerabilities they have experienced in the last 12 months and explain how they will remediate weaknesses uncovered from penetration testing.

Summing up the big picture of PCI DSS compliance, Brooks said, "Security is a journey, not a destination."

For more:
-See this Trustwave report
-See this Trustwave compliance guide
-See this Trustwave article
-See this Trustwave list of resources
-See this Trustwave video

Related stories:
What retailers need to know about reducing fraud with EMV chip and PCI standards
On the Hot Seat: PCI Security Council's Stephen Orfei
At summit, President orders cybersecurity efforts, PCI applauds
Retail threats surged during 'the year of the POS breach'
Congress proposes easing data breach reporting laws