The Payment Card Industry security standards council's PCI 3.0 revision, revealed in January, adds requirements that take effect at the end of June, putting unprepared merchants at risk of fines if they suffer a breach.
The new rules require that merchants consistently monitor their network and communicate clearly with third-party security service providers about password management and system testing.
With five new requirements taking hold soon, merchants may feel as if they need a scorecard to keep track of the PCI standards changes and upgrades. The PCI council delivered a PCI 3.1 update in April to warn e-commerce merchants about a change in Web security from Secure Socket Layer to a newer version of Transport Layer Security.
Some merchants are not aware of the new 3.1 update, let alone that some 3.0 controls are about to take effect, said Don Brooks, senior security engineer for Trustwave.
"One merchant I spoke to couldn't tell me whether or not his service provider was compliant," Brooks said. "And that's where the new teeth come into play on June 30."
Chicago-based Trustwave estimates that a merchant suffering a breach could face between $100,000 and $500,000 in fines from the card networks, additional expenses between $50,000 and $100,000 to reach compliance, a $50 re-issuance fee per compromised card, and $2 per customer for credit monitoring. In addition, a merchant that has suffered a breach can expect anywhere between 8% to 19% customer churn, Trustwave says.
Those types of numbers have more retailers making security a high priority, rather than arguing over whether the PCI rules should apply to them, said Richard Mader, retailer consultant and president of Bernville, Pa.-based Mader International Consulting.
"The initial shock of PCI compliance is kind of fading because retailers have spent so much money on it already," Mader said. "Today, it is more along the lines of the retailers realizing they have to do this because they can't afford to be hacked, from a sales or customer trust standpoint."
Retailers now realize they have to do everything possible to avoid breaches because being non-compliant means much more than "just a slap on the wrist from the card brands," Mader said.
Retailers still have legitimate complaints about some aspects of PCI, but "they look at Target sitting in court and realize the retailers are legally responsible and end up paying," Mader added.
When the new requirements take hold, businesses must verify that they have addressed any broken authentication or session management tools to avoid unauthorized individuals from compromising legitimate account credentials, keys or session tokens.
Third-party service providers must acknowledge in writing to customers that they are responsible for cardholder data security, and those with remote access to a merchant network must use a unique authentication credential for each customer.
Businesses must implement network penetration testing methods based on industry-accepted approaches.
In addition, merchants must maintain a list of their point of sale devices and periodically inspect them for tampering.
"We recommend to make POS checks part of annual security training for employees," Brooks said. "When employees start a shift, they should make sure everything at the payment terminal looks as it should and there are no USB sticks plugged into the back of the swipe terminal."
Keeping a log of required internal checks is an important part of PCI compliance for merchants because it helps thwart breaches and provides forensic researchers vital "pieces of the puzzle" after a breach to help determine what happened, Brooks said.
Merchants should never simply assume that a security vendor has taken care of all of the necessary tasks for PCI compliance, Brooks said. It is best for a merchant to be aware of what the vendor is doing and when, while also realizing that security technology is likely not their own forte, Brooks added.
It is also vital that merchants communicate with service providers now to make sure they will comply with the new requirements.
"The service provider may not need to get his documents in for compliance until October, but the merchant needs his information in place at the end of June," Brooks said. "There could be some collisions here in timing that would cause security gaps."