PCI 3.0: Vital Security Lessons for Merchants

PCI 3.0: Vital Security Lessons for Merchants


A new version of the Payment Card Industry Data Security Standard, version 3.0, came into effect at the beginning of 2015. Described as an “evolution, not a revolution”, and in the wake of a series of devastating data breaches, PCI 3.0 tightens up many card security requirements.

Every merchant that handles credit card data in any form must be PCI compliant—our infographic explains why PCI Compliance is so important. Also, many of the changes in PCI 3.0 affect how merchants deal with service providers. Even if merchants have third parties working on credit card data security, they still have important obligations.

E-complish, which is fully PCI compliant, has drawn out some important security lessons for merchants from the new standards.

Know who’s responsible for compliance with each and every standard

When it comes to data security, it’s not enough to say that a third party is ‘dealing with it’. Under PCI 3.0, merchants must now know—and be able to say—exactly who is responsible for compliance with each individual PCI requirement. That may be a third party, or it may be the merchant themselves, but for each requirement, there must be clear lines of responsibility.

Lesson: Understand who is responsible for each PCI requirement. Set expectations with your service providers—do they understand you’re relying on them for compliance?

Know who can endanger your customers’ data

Merchants will often depend on external service providers for PCI compliance. PCI 3.0 now requires merchants to apply rigorous standards, not just to service providers who manage cardholder data, but any service provider that could affect the security of cardholder data.

In other words, if your service provider could compromise cardholder data, it’s irrelevant that they don’t store or transmit any data.

To really understand what this means, consider the Target hack. In that case, hackers probably breached Target’s network using the stolen credentials of an HVAC provider in Pennsylvania. That vendor likely had network access to monitor Target’s energy consumption and temperature—nothing to do with payment systems. But that access was enough for the hackers to put malware into Target’s point of sale systems and steal 40 million credit card numbers.

Lesson: Think about who has access to your systems outside your business. Do they really need that access? What do they do to protect your customers’ data?

Prevent physical tampering with devices

In an era of remote hacking, credit card skimming is not front of mind for many merchants. But it continues to happen, with skimmers found on ATMs and at gas stations in recent weeks.

New PCI requirements are intended to ensure that physical devices that capture credit card data, like credit card readers are kept secure. If left unprotected, these devices are vulnerable to tampering and credit card skimming.

Starting July 1, 2015, merchants must take an inventory of their physical devices, inspect them regularly to identify tampering, and training their staff to report suspicious behaviour.

Lesson: Some of the measures merchants can take include:

  • keeping photos of secure devices to compare with devices during inspection
  • using UV marker pens to indicate tampering
  • being aware of scams such as fake maintenance personnel “inspecting” point of sale systems.

E-complish has strong expertise in PCI compliance and can help secure your business’s payment systems. Browse our suite of fully PCI-compliant payment solutions.