New payment card security standards released this week are set to come into force on January 1. They include advice for retailers who are outsourcing their payment processing to third-party payment providers, requirements to educate and train staff, and warnings on emerging new forms of fraud, and how to avoid them. We spoke to PCI European director Jeremy King on why the update matters to retailers.
Security standards may not be the most interesting subject, but the news that the PCI Security Standards Council has updated the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) as part of its three-yearly cycle of updates does matter to retailers, even those who have outsourced their payment provision.
The update to version 3.0 puts emphasis on retailers’ continued responsibility for their payment processes, even when it is outsourced to a third-party provider. New guidance is given on outsourcing PCI DSS responsibilities, while responsibilities for service providers are also updated.
PCI European director Jeremy King told Internet Retailing: “In the ecommerce sector, a lot of merchants say to us they’re experts in selling, not security and they’re looking to use third party service providers to handle the payments page. That has introduced some new challenges and new weaknesses and we’ve introduced some new requirements around third party service providers in conjunction with a special interest group we’ve had running this year to make sure merchants are aware of their responsibility when they’re using a third-party data provider and what the third party’s responsibilities are to make sure that everyone knows who is responsible for securing the data.”
He said that while using third-party providers to process payments and store related data did mean that retailers didn’t have to face the challenges of handling that data, the move to outsource did create an extra interface within the system.
“Sometimes the criminals can use the interface between the merchant and third-party provider as a portal to get to the third-party provider. You can’t just absolve yourself, wash your hands and say that’s it, we’re not handling this. It’s important that you make sure your third-party provider is PCI approved and validated. You can ask them for proof of that. And it’s important you work with them to make sure you each know your responsibilities. You still have an overall view of the security.”
There’s also information on setting passwords as access to banking services or accounts set up with a retailer, recognising the need for flexibility in, for example, allowing organisations to use the password strength that’s most appropriate for their security strategy.
Another key part of the standard update focuses on the need to build security into business-as-usual, since employees can often enable attacks by picking weak passwords, clicking on phishing links or sharing company information on social or other media.
King said: “We’re finding organisations that spend more time on training their staff and making their people aware of the security challenges are less likely to be breached. We’ve gone through the standard to try and improve the requirements and sub-requirements to focus on providing training and education for people and when organiastions have been assessed then the assessors will be looking to see that this training and education has been taking place.”
He pointed to new explanations within the standard of ways to make PCI DSS business as usual.
For example, King said that multichannel and store-based retailers need to be aware of a scam that involves bogus engineers turning up to a retail premises to take away the terminal they use for card payments, taking it away for a so-called service and leaving a fraudulent replacement. A variation on this has seen retailers receive a replacement terminal in the post and be asked to return their existing one. Both lead to fraudulent use of the terminal.
“We’ve increased some of the security requirements around understanding your face-to-face terminal,” said King. “If someone turns up unexpectedly you just send them away. An engineer should never turn up unexpectedly. And if a terminal just appears don’t touch it.
“We also have requirements around understanding your terminal, knowing what it looks like and how you can be sure that it hasn’t been stolen, replaced or modified. With some simple processes you get into this business as usual about just checking that the terminal is as it was when it was left last night, with the same number of wires, and so on.”
King said that while there was no specific references to mobile payments in the new standard, retailers must make sure that however they use mobile their payments processes must meet PCI DSS requirements.
“For mobile phones at the moment that is a challenge because of the security challenges surrounding mobile phones,” he said. Research suggests there were in the region of 500,000 incidents related to Android malware in the last year.
King added: “The weakness with mobile is the weakness of the device itself. The potential is that you could inadvertently have rogue software on your phone that you didn’t know. If cardholder data is going through the phone in clear text, then the potential is that malware could intercept it and send it off to the criminal.”
Specific modules in the PCI DSS covering terminal safety cover the plug-in card readers attached to mobile phones for payment to take place. The standards require that those devices instantly encrypt the data they carry. “Then we can have confidence that cardholder data is going through the phone encrypted and then it is of no use to criminals,” said King. “It’s making sure that we can provide secure products for the merchant to be aware of the risk associated with using these devices. Our guidance gives lots of detail on how to manage and use mobile phones where they’re used for accepting payment and on how to make sure the data is secure as it goes through to the acquiror.”
Approved products and devices are listed on the PCI DSS website. A taskforce has also been working for the last year to see how mobile devices can be covered by PCI DSS and will issue regular updates.
For more detail of the new update to the standards, click here. And here’s an infographic explaining more about the background to the update.
The PCI Security Standards Council was founded in 2006 by major payment card brands, including Visa, MasterCard and American Express. It is a global forum responsible for managing the development of the PCI DSS, whose standards retailers must meet in order to be able to accept bank card payment on their websites, and also raising awareness of it.
