Changes to PCI 3.0: Are You Ready?

By the end of this year, data security will get a good deal more complex and a lot more expensive. What’s the answer for beleaguered small merchants?

There are plenty of articles out there detailing the changes to the newest version of the Payment Card Industry data-security standard (PCI-DSS) that went into effect Jan. 1, 2014. Probably the most important thing to remember, though, is that all merchants, including Level 4 merchants, will have to comply with PCI-DSS 3.0 by the end of 2015.

Unless merchants are well-versed in data and network security technologies and are already expert in PCI-DSS compliance, reading about the changes probably doesn’t make a lot of sense. If the business is large enough, it either has an IT staff or potentially a security team and/or the money to hire a third-party to take care of PCI compliance. However, a small-business owner probably won’t be overly concerned unless someone tells him differently.

If the business falls into the Level 4 merchant category (merchants processing up to 1 million Visa transactions annually or merchants processing less than 20,000 Visa e-commerce transactions annually), the burden of PCI compliance likely falls on the owner and, perhaps, the payment system vendor and the guy hired to set up the network.

Owners are experts in their businesses, not in data security or PCI compliance. But they bear the responsibility for PCI compliance, so knowing what’s new and what’s changed is crucial.

While the changes in PCI DSS 3.0 are detailed on the PCI Security Standards Council Web site, here we focus on three specific changes and how they will dramatically affect small-to-mid-size business owners.

The SAQ: 59 More Technical Questions

Every year, merchants are required to fill out and submit a PCI data-security standard self-assessment questionnaire (SAQ). This validation tool is intended to assist merchants and service providers in self-evaluating their business’s compliance with the PCI-DSS.

In the event of a security breach, it’s also the document that can be used as the baseline to compare what has been attested to (in terms of network security and security-policy management) and what has actually been implemented. Wide gaps between the attestation document and what is uncovered as a result of a post-breach audit can make a difference in fines, penalties, and other fees.

Version 3.0 of the SAQ required for Internet-connected businesses includes 59 additional questions, most of which concern network configuration and security, for a total of 139 questions. For comparison, the PCI-DSS 2.0 SAQ had 80 questions.

Because most of the new questions are highly technical, there’s an added level of complexity to completing the SAQ that requires intimate knowledge of exactly how merchant networks are secured and, more important, how card data are being segmented and isolated from all other Internet traffic.

This complexity notwithstanding, it’s important for business owners to understand how to answer the questions specific to their network security, since ultimately they are accountable for their own security and compliance.

Expanded Definition of a Service Provider

One of the biggest impacts on PCI is the change in the definition of a “service provider.” In previous versions of the PCI-DSS, a service provider was defined as any business entity that was not a payment brand (e.g., not Visa, MasterCard, Capital One, and so on) and that was directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.

These companies handle payment information on behalf of credit card processing companies and have to meet stringent data-security requirements to be PCI-compliant.

The new definition has been expanded to include any company that provides a service that could control or impact the security of cardholder data. That means that anybody who sets up, configures, or changes a merchant’s business network, from the IT guy to the payment-systems vendor to the security-camera company—and anyone else who touches the network—could, and likely will, be held equally liable in the event of a data breach that results in the loss of debit or credit information.

With this new definition in mind, the PCI 3.0 SAQ requires merchants to name all of their service providers to complete the compliance-validation process.

This is a huge potential impact on any company that “services” a network, since it will now be deemed a service provider for PCI purposes. And if the cause of a breach is related to a weakness or change caused by a service provider, the service provider will likely be held accountable.

The problem is that most of these vendors don’t have the expertise to set up a properly segmented, secure, and PCI-compliant network. Furthermore, even fewer have the capability to ensure their clients’ systems remain secure and PCI-compliant on an ongoing basis. Installing a firewall or a simple routing device (the traditional way payments systems are deployed) does not ensure network data security or contribute to PCI compliance.

How does this change affect merchants? It won’t if the company’s payments-system vendor, IT guy, security-camera company, and others have the required expertise and are willing to be held liable if the business is breached. Most probably won’t want the responsibility.

Network Segmentation

PCI-DSS 2.0 required companies to segment their networks by splitting payment traffic from the rest of the business’s network traffic. Even the PCI Council suspects that many merchants are not segmenting their networks (even though they claim to on their SAQs) for a simple reason: PCI compliance rates are up, but so are breaches.

Clearly, something is amiss.

To enforce network segmentation, PCI-DSS 3.0 requires merchants to attest in the SAQ exactly how they are segmenting payment traffic from other network traffic. This can be done using a certified Point-to-Point Encryption Service or by installing a terminal that connects directly to the Internet and bypasses the local network. But most businesses still use traditional terminal/server-based systems, so they will be required to prove they have properly and securely established a cardholder data environment (CDE).

The gotcha is that when a merchant attests in the SAQ that it segments card data through establishment of a CDE, it is automatically flagged and subject to an annual penetration test. These tests cost an average of $5,000 per location. If the business consists of three jewelry stores, for example, the owner is looking at $15,000 a year for penetration tests.

Alternatively, merchants can opt to do a self-assessment penetration test. This requires installing software on the network to run the test, interpreting the results, and reporting them to the PCI Council. Doing a penetration test is not easy. That’s why third-parties charge $5,000, or more, a pop.

What’s a Business Owner to Do?

First things first. Don’t fall into the rut of believing that becoming PCI-compliant is the end-all, be-all. There are plenty of PCI-compliant companies that have been breached. Big ones like AT&T, Dairy Queen, JP Morgan Chase, Kmart, Home Depot, and Target were certainly shocking.

But, at the same time, don’t be lulled into thinking that hackers only go after the big guys. According to Visa Inc. data cited by Cayan, formerly Merchant Warehouse, 95% of all credit card data breaches involve customers of small businesses.

Why do hackers go after the small potatoes? Because they theorize that small retailers and organizations such as physician and dental offices are much less likely to have their customers’ debit and credit card data locked down.

So if PCI compliance isn’t the answer to protecting businesses and customers, what is?

The answer is managed network security. If companies just secure their networks and adopt a few simple data-security best practices, they’ll meet their PCI-compliance criteria.

Too many businesses fall into the trap of doing just enough to get through the SAQ and vulnerability scan and achieve their PCI-compliance certificate. Then they go back to their regular routine. The idea is to take a top-down approach: Secure the business network, and PCI compliance will be a by-product of good security practices.

How does this work? Let’s go back a step. It’s a common misconception among small-business owners that having a PCI-compliant payment system protects their business from a breach. This is only one component in securing cardholder data.

The second component in data security—and by far the most difficult to do—is to set up and maintain a secure network. The third component is the human aspect, which only owners and managers can do. This entails establishing and educating employees on best practices that spell out how to handle cardholder information, frequently reinforcing those practices, and checking often to make sure policies are followed.

So, if the payments-system vendor is taking care of the security of the payments system and owners and managers are taking care of the daily physical and human aspect of data security, the only thing left is securing the network: the biggest and, arguably, the hardest part.

Fortunately, network security and PCI compliance can be outsourced to a PCI Level 1-certified service provider that specializes in securing small and medium-size business networks. These services reconfigure existing networks to be secure and PCI-compliant by sending all traffic through a special security appliance installed on the network.

It’s the service provider’s responsibility to lock down cardholder data and monitor and manage the network. Because these services are built from the ground up around PCI-DSS requirements and data-security best practice rules, the network is by default PCI-compliant. And because these services automate network monitoring and identify and remove threats in real time, they are affordable—as low as $65 per month.

The service provider will auto-populate about 85% of the SAQ, answering all of the hard network security questions and leaving business owners with the questions only they can answer.

How do they do this? The network-security service they provide is already PCI-DSS 3.0 certified. These cloud-based managed-security services not only protect the business network to the same level of network security and management that the world’s largest corporations and banks benefit from, but they do it without the high cost and complexity, including paying for expensive penetration testing. Moreover, these services assume liability in the unlikely event of a breach, removing it from the merchant and its other network-service providers.

PCI DSS 3.0 presents new compliance challenges to businesses of all sizes that handle transactions digitally. But no more so than to small business owners, who typically lack the resources to hire a network-security expert to ensure their networks are secure and PCI-compliant.

Fortunately, new, affordable managed services are available to do the heavy lifting of PCI compliance while providing peace of mind that your network is secure.

Gregory Grant is the senior director of sales and business development at Phoenix Managed Networks, Reston, Va.