The Payment Card Industry (PCI) Security Standards Council periodically publishes new guidelines governing how merchants and processors should handle sensitive credit card information. These updates are designed to keep pace with evolving security threats as hackers develop more inventive ways of abusing card data.
In 2014, the Council officially published PCI DSS 3.0 — revised guidelines that clarify and expand upon some of the existing regulations in prior versions. There's an online summary of changes that is about 12 pages long (and quite technical). Below are five of the most important differences between versions 2.0 and 3.0 of the PCI DSS guidelines:
1. Better Password Education for Users
In today's web-connected world, companies store a tremendous amount of information online — and with the right username and password, thieves can easily steal this data. This is why PCI DSS 3.0 stresses the need for better password education for employees, users and anyone else who might have access to sensitive information.
More specifically, companies should avoid using password defaults whenever possible. Thus they should train their employees how to detect and report phishing scams.
2. "Need to Know” Basis for Cardholder Data
Those involved throughout the payment chain are disproportionately represented when it comes to data breaches. This is why bank tellers, cashiers and waiters should undergo extensive POS security training before they receive access to sensitive financial information.
In addition, card data should only be shared on a "need to know" basis. In health care settings, for example, nurses and physicians don't need direct access to any of a patient's billing information.
3. Storing and Protecting Cardholder Data
PCI DSS 3.0 introduces stricter guidelines governing how companies should store, process and protect cardholder data within their systems. Recommended strategies include stronger firewalls and more robust encryption when sending information across public networks.
4. Better Malware Protection
Basic antivirus software is no longer enough. Companies are now required to evaluate new malware threats — even when dealing with systems that are not “commonly affected by malicious software."
This means you'll have to regularly screen all company-issued mobile devices, tablets, POS terminals, servers and connections — in addition to the usual culprits like laptops and desktops.
5. PCI Security as a "Shared Responsibility"
It’s no longer enough to ensure that your own systems are PCI compliant. You must also assess all of the external leaks that may exist — both upstream and downstream. This is especially relevant for companies that regularly outsource.
Your customers' financial information is only as safe as the weakest link.
PCI DSS 3.0 also places greater pressure on service providers (i.e. firms to whom you outsource). Even if they don't process card information in-house, they must now take proactive steps to shore up their data security.
PCI Compliance Is an Ongoing Process
The above list is by no means exhaustive. As you begin reviewing your company's PCI readiness, we encourage you to review the full list of version 3.0 updates.
Even more critical, PCI compliance is not a one-time fix. It is an ongoing process that requires periodic reviews and assessments. This self-analysis can be difficult, but we’re here to help make the process as painless as possible. For a longer list of PCI-compliant best practices, schedule a free appointment with our payment security team today.