PCI DSS Security Version 2.0 Or 3.0?
What is PCI DSS Security?
PCI DSS stands for Payment Card Industry Data Security Standard. It is the collection of standards that merchants who accept credit cards must adhere to in order to ensure that the private information that is contained on the cards remains private. The current version that is available for the collection of standards is 3.0. All companies that are still adhering to the 2.0 standards much switch to 3.0 by December 31 2014.
What is Included in the PCI DSS Security System?
There are several different categories of guidelines that govern how secure different aspects of the card acceptance system need to be. The first category regards building and maintaining a secure network that will be able to accept cards without divulging the private financial information to those with nefarious purposes. In order for all of the requirements to be met, a retailer needs to install a strong firewall to keep out intruders and change all of the passwords from the default passwords that are supplied from the vendor.
A second category is that of the protection of cardholder data. To meet these requirements, all of the stored data needs to be protected and any data that needs to be transferred has to be appropriately encrypted to make it harder to access. The third category is minimizing vulnerabilities, which involves the regular usage of virus or vulnerability scans and developing methods to make systems secure, updating them annually. Another category is implementing strong access control, which is when all data is restricted to only those who need to know, giving each person who is able to access the data an individual ID number, and greatly limiting the number of people able to access any physical copies of the data.
The last two categories are the monitoring and testing of networks and having an information security policy. Monitoring and testing the networks involves tracking any access to the data belonging to cardholders, as well as running regular tests. An information security policy is essentially a policy that determines which employees will have access to the information, allowing security to be maintained throughout the company.
Does a Retailer Use PCI DSS Version 2.0 or 3.0?
Level 2 merchants who are waiting to become PCI compliant might be wondering which version is valid. The good news is that version 2.0 is valid until December 2014. While PCI compliance does take a few months it’s plenty of time to become compliant. The 3.0 version required after December 2014 is going to be more difficult with 100 additional controls and more evidentiary support requirements, 9 months is more than enough time to go from gap analysis to PCI Compliance and finish up PCI DSS 2.0 and get the ROC completed.
Contacting an established security provider as soon as possible would be wise. Level 2 merchants who are now being targeted by banks to prove their compliance. Chase has recently sent out letters informing all of their merchants to become compliant asap. Visa, Master Card, and American Express are also sending letters directly to merchants asking for proof of PCI Compliance. Merchants are busy, PCI compliance is difficult, so it’s no wonder merchants have put off compliance for so long but it’s no longer an option to wait. The time to act is now.
How To Switch To Version 3.0?
The easiest way to do this is to follow the step by step guide provided by the PCI Council, which provides milestones that need to be met. Using advisory services, such as those provided by Trust Guard, will be able to ensure that all of the guidelines are met by client companies within the nine months that are allowed. This tends to be one of the simplest options that will allow companies to feel secure that all restrictions are met.
Why is PCI Compliance Important?
It is important to be PCI compliant because following the guidelines is the most proven way to ensure that all customer information remains secure. This is critical because it allows the brand to remain intact and for costly breaches to be avoided. A security breach has meant bankruptcy for many businesses both big and small.
What are the Penalties for Not Being PCI Compliant?
Each company that provides cards, such as VISA and MasterCard, are able to set their own fines. This will usually include an exorbitant sum of money to cover the inconvenience of a theft of data, as well as the cost of sending out new cards, forensic audits, and damage to the brand, which will decrease the number of customers willing to shop at a store. If a merchant has met PCI compliance standards, all of this can be avoided.