Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

PCI DSS compliance should not be seen as a tick-box exercise, says IT security provider


Businesses handling sensitive payment card data should not view their compliance with industry data security standards as a tick-box exercise, an IT security provider has said.

Michael Aminzade, vice president of global compliance and risk services at Trustwave, said those businesses face a "busy time" to prepare for changes in the payment card data security requirements coming into effect after 30 June. 

Last month, the Payment Card Industry (PCI) Security Standards Council announced that the current PCI Data Security Standard (PCI DSS 3.0) would be "retired" on 30 June and replaced by an updated standard (3.1) which addresses "vulnerabilities" identified within the Secure Sockets Layer (SSL) encryption protocol that "can put payment data at risk". The new standard also includes other "minor updates and clarifications" to the current requirements, it said. 

Aminzade said, in addition to those updates, a number of voluntary best practices set out within the 3.0 standard would also become mandatory after 30 June. 

Those changes mean businesses will have to broaden their "penetrating testing" and improve security validations, Aminzade said. They will also face a new duty to "report any threat vulnerabilities they have experienced in the last 12 months and explain how they will remediate weaknesses uncovered from penetration tests", he said. 

Retailers must also take steps to improve the security of their point-of-sale (POS) devices under the new requirements, Aminzade said.

"Businesses must maintain a list of point of sale devices and periodically inspect them for tampering or substitution," Aminzade said. "Employees must be trained in how to spot any suspicious behaviour and how to report tampering of the devices. Largely, criminals attempt to steal cardholder data by manipulating the card-reading devices and terminals. With this requirement it helps businesses flag if a POS device is breached and knows what actions to take so that any damage is minimised." 

Aminzade said the changes should help businesses better protect payment card data but said businesses storing, processing or transmitting that information that the PCI DSS requirements should not be viewed as anything more than "a baseline for security". 

"We often see businesses check the compliance box and believe that’s enough," Aminzade said. "In today’s business environment where the threat landscape is more complex than ever before, businesses need to flip the compliance model on its head – making sure their data is secure first, so that they inherently become compliant. They can achieve that goal by identifying where their valuable data lives and moves, implementing security controls to protect that data and continuously scanning and testing their assets to identify and remediate security vulnerabilities." 

In February, the UK's Information Commissioner's Office (ICO) fined online travel insurance company Staysure.co.uk £175,000 after sensitive payment card details, stored in breach of PCI DSS requirements, was stolen by hackers.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.