On January 1, 2015, any vendor who processes, stores, or transmits payment card data will have to demonstrate compliance against Version 3.0 of the PCI Data Security Standards (DSS). These standards consist of over 250 “control elements” (or rules) that must be in place for an organization to be considered in compliance – and avoid potential fines.
In order to successfully comply with the rules, you must comply with all of them. Version 3.0 will be the one and only set of PCI guidelines that all merchants must follow. And it brings some big changes with major implications for many businesses.
Point of Sale Concerns
You’ve probably heard of scammers who go to ATMs, particularly those in locations separate from the bank itself and install overlay equipment on the machine to capture information as it’s entered by the ATM user. Using this technology, sometimes called an “ATM skimmer,” thieves can make a copy of a bank ATM card, capture the user’s PIN, and steal money from an account.
What does this mean for merchants and the PCI rules? Think about one of the common Point of Sale (POS) environments in use today — a gas station. These days, you probably don’t interact with an attendant too often when filling your car up with gas. Instead, you pull up to the pump, turn off your car, swipe your credit card in the pump’s payment slot, and go through the whole process of pumping your gas, all without interacting with a human. It’s not so different from your experience at the ATM. And there’s an opportunity here for scammers to install an overlay on the gas station’s POS device in much the same way as they have targeted ATMs in the past. The same goes for many grocery stores and retailers. As more areas of the marketplace adopt automated POS strategies, the problem only grows more significant.
A New Requirement
In light of this threat, the PCI Security Standards Council sought to revise the DSS to help ensure that POS devices have not been tampered with or altered in any way. So one of the changes they’ve made in Version 3.0 is to require organizations with these devices to “periodically inspect devices for signs of tampering or substitution.” This is PCI control 9.9.2 – part of a brand new requirement in Version 3.0. PCI doesn’t specify what “periodic” means – which is to say that it doesn’t mandate a particular frequency of evaluation. Organizations, then, have some degree of flexibility in how often they check their POS devices for signs of tampering, but they do need to begin checking them, and they will need documentation to validate that the inspection occurred. What does this mean for the gas station we discussed above? Perhaps once a quarter, the station manager at a given location would need to physically inspect each POS device and then make a log of their findings, signifying that the devices showed no signs of foul play.
For a very large retailer – an organization with lots and lots of POS devices in many locations – this requirement could have a significant impact. These businesses will have to work out the logistics of inspecting a large number of POS devices and capturing and organizing records on those inspections. The PCI Council recognized that this change will require considerable effort on the part of some merchants, so they’ve instituted this new requirement as a “best practice” until July 2015. What does that mean in practice? Retailers with PCI DSS report dates before July 2015 are not required to comply with this provision until the date of their next report in 2016. For organizations with report dates after July 2015, the new requirement must be in place for them to comply with PCI DSS 3.0. Businesses in both groups have a good deal of time to work out the best way to get in compliance. Regardless of your organization’s size or number of POS devices, compliance with this new rule is an important step toward protecting your business – and the data of your consumers. Ready to learn more? Be sure to download the free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.