The GDC Blog

Security is the key theme of the recently released PCI DSS 3.0 guidelines, set to be implemented by retailers this January. Hacking of payment systems has been on a significant rise. Breaches this year are up 75% and thieves are becoming increasingly creative in their attempts to steal customer’s data. To this end, PCI DSS 3.0 guidelines focus on both raising security awareness and improving security practices.

Information security is increasingly on the radar of retailers. Executives know that hackers and identity thieves pose a threat, but at the associate level security knowledge is lacking. The chip and pin standard has had success in reducing fraud. But criminals are bypassing systems entirely. Recently, thieves inserted skimmers directly into the registers of a Nordstrom Department store. Associates need to be aware that register tampering is a real threat.

Password security is another area addressed by the PCI DSS 3.0 guidelines. Training around password security is required and the guidelines go as far as to require the training be documented.

Improving security practices both internally and externally is also an important component of the new guidelines. With an increasing number of retailers using third party payments processors, the more gates retailers and their providers must defend. The guidelines focus on the importance of payments as a network of systems. Things such as anti-virus software, file integrity, or network authentication, may be outside the cardholder environment but all have a potential impact. Retailers are required to ensure that PCI compliance continues even after payment processing is outsourced to a third party.  Network segmentation, the process of limiting network boundaries to limit the scope of a network environment is encouraged. Additionally more frequent penetration testing is recommended, but standards of 1 test per year are left unchanged.

The new PCI DSS 3.0 guidelines are anticipated to help bridge the gap between compliance and security for retailers accepting electronic payments.  The new standards take effect January 1, 2014.