Any organization that accepts credit and/or debit card transactions or deals with cardholder information should be aware of changes that were made to the PCI DSS regulations in 2015. Though the changes took effect on the first of January, many business owners may still not have been made aware of these changes. As cyber breaches continue to be more prevalent, cyber-security has never been more important. Understanding these three changes to the PCI regulations are crucial for any business owner who wants to avoid the penalties for not being compliant and the theft of cardholder data from his/her business. Here are the three changes.
SAQ adds 59 questions
Fifty-nine questions were added to the 3.1 version of the PCI DSS self-assessment questionnaire. Most of these questions have to do with network and security. In order to answer these new questions, business owners will need to have a very technical knowledge of how their business’s network is secured and how card data is segmented from other web traffic. Since business owners are held liable for stolen information, they need to accountable by knowing these new questions and the answers to them in the self-assessment questionnaire.
Service provider definition expanded
One of the biggest changes to the 3.1 version of PCI DSS is an expanded definition for the term “service provider.” Before the definition change, a service provider was any company that processed, stored, or transmitted card data for a merchant. With the definition chance, a service provider is now defined as any company that provides a service that could control or impact the security of cardholder data. That means that under the new definition, anyone who sets up, configures, or changes a merchant’s business network, whether that’s an in-house IT guy, a payment systems vendor, or a managed service provider, that person could be held liable along with the merchant for a breach that results in stolen card data.
Enforced network segmentation
Merchants have been required to segment payment traffic from all other web traffic since PCI DSS 2.0. But many business owners are not compliant with this regulation even though they report that they are in the self-assessment questionnaire. In order to enforce proper network segmentation, PCI DSS 3.1 now requires merchants to not only state whether they have segmented payment traffic in the questionnaire, but how they have done so.
What’s a small business owner to do?
Because cyber-threats are always adapting and evolving in response to security measures, the PCI DSS standards have to adapt as well. That means continual changes to the requirements. That’s manageable for large corporations but smaller business owners have a hard time keeping up with all the changes. Fortunately, they can outsource their PCI compliance to a managed service provider (MSP) who will make sure the business is PCI compliant and stays up-to-date with changes to PCI regulations.
Source: Retail Customer Experience