On January 1, 2015, Version 3.0 of the PCI Data Security Standards becomes the mandatory compliance standard for any vendor that processes, stores, or transmits payment card data. In this article, we’re going to talk about a change related to POS systems: PCI Requirement 8.5.1. And this rule impacts third parties that provide support for merchants.
Vendors and Vulnerabilities
A lot of organizations have POS systems running on software written by another vendor. These merchants often have a contract with the vendor for technical support, upgrades, and related services. Generally, when the vendor provides support, they send a technician on-site to access the Point of Sale system through a user ID and password that only the vendor knows. But most vendors serve a large number of clients, and for the sake of convenience, many have used the same ID and password for every system and every client. You can imagine the danger here. If Client A is compromised – a hacker captures the system’s passwords, for example – then suddenly every other client of the vendor is at risk as well.
In order to address this problem, the PCI Security Standards Council added Requirement 8.5.1. This new rule stipulates that vendors and service providers must use unique security credentials for every customer’s systems. It is no longer acceptable to use shared usernames and passwords. The PCI Council recognized that this is a major change for many service providers, requiring a good deal of work for those with many clients and systems to adjust, so the new rule is considered a best practice until July 2015. That means organizations with reporting dates before July are not required to demonstrate compliance with the new rule – but those who report afterward are responsible for it. For service providers, the change will mean that they must undergo an audit to demonstrate compliance. What about merchants? We would advise merchants to drive implementation of this new security rule by specifying that their systems should have unique security credentials in their contract language with the service provider. This gives merchants an extra level of reassurance, as well as something to point to when demonstrating compliance themselves.