PCI DSS 3.0 "Best Practices" Become Requirements On June 30

Bernadette Wilson

By Bernadette Wilson

PCI DSS 3.0 Best Practices

Although PCI Data Security Standard (DSS) 3.0 went into effect at the beginning of the year, some elements of the standard were designated “best practices” until they would become mandatory on June 30. In addition to requirements your merchant IT clients need to ensure they comply with in a few weeks, there are also soon-to-become requirements that directly affect you. You will need to provide your merchant IT clients that the solutions and services you provide are in compliance with PCI DSS.

Don Brooks, Senior Security Engineer at Trustwave, says there are two ways IT solutions providers can attest. Some VARs and systems integrators could be eligible to self-assess; if you do not, for example, facilitate transactions or if your customer processes fewer than 300,000 transactions per year. Many solutions providers, however, are considered Level 1 service providers and will have to be assessed for compliance with PCI DSS by a qualified security assessor (QSA). Brooks says, for IT solutions providers who have not gone through an assessment by a QSA before, it can take about three months. He says you only have to attest to the part of the merchant’s process you are involved with, and you only have to satisfy the merchant that you are in compliance — no other entity will seek this information. It is the merchant that is ultimately responsible to show its management of third parties that interact with the payment environment are compliant. Brooks comments,“PCI is happy to let them outsource, but they can never outsource the liability. It still falls on the merchant.”

Another June 30 requirement is that all vendors — including IT solutions providers — with remote access must have separate credentials for each of their merchant clients. Brooks says situations have occurred in which a vendor that used one set of login credentials for all of its clients was hacked and, as a result, all of its clients experienced a security breach.

Brooks points out VARs and systems integrators could find the June 30 requirements also mean more opportunities to provide solutions and services. PCI DSS 3.0 requires IT network penetration testing — evaluating the security of the system by attempting to exploit vulnerabilities or flaws, improper configurations, or user errors. Brooks says this requirement is often the most costly for your clients. You can help your clients with this requirement by helping them with network segmentation. “Make sure the basic block and tackling of network segmentation is done. Make sure the POS [point of sale] is not linked to the back office,” Brooks says.
Merchants are also required to physically protect, inventory, monitor, and inspect all devices used to capture payment data. Brooks says VARs can help by providing solutions that can help merchants with this requirement — commenting that your resources and product knowledge can accomplish this in “ingenious ways.”

As trusted IT advisors, your clients will turn to you for information on the new requirements, as well as solutions that can help them achieve compliance. Brooks says IT solutions providers who are ready to meet this challenge will benefit. “Compliance is a huge driver for IT spend. It’s a win-win,”he says.