Meeting the New PCI Standards in Higher Ed
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. The PCI DSS has just been updated to version 3.0, effective January 1, 2014. Some of the changes have far-reaching impacts, and the new version also includes many clarifications, real-life examples and flexibility built-in to enable college and university departments to meet the intent of the requirements. In this web seminar, originally broadcast on March 27, 2014, an industry expert discussed the impact of PCI DSS version 3.0 on higher education, and the keys to ensuring that your institution is meeting these important new standards.
PCI DSS version 3.0 was publicly released by the PCI Security Standards Council on November 7, 2013 and became effective on January 1. The PCI Council uses a three-year cycle to issue new standards, and we’ve just entered the newest cycle. We’re now in year one of version 3.0, and 2.0 will expire at the end of this year. The purpose of this one-year interim period is to allow everyone time to learn about the new requirements and to be able to comply with them during that time. Getting compliant with 3.0 has many implications. You should be getting ready now to implement these new standards. If you haven’t started yet, or you’re about to get started, our suggestion would be to comply under version 3.0. What you cannot do is combine 2.0 and 3.0 this year. There are really no new regulation requirements with 3.0—much of it is just clarification of 2.0.
The first key theme of 3.0 is “business as usual.” You want to make sure merchants understand that being compliant is more than a once-a-year event—it should be a daily activity. The next theme is clarity. There was a lot of criticism that the last PCI standards weren’t specific enough, so the new version is designed to be much more clear. The final theme is that security is a shared responsibility. It’s not just for merchants, the bookstore or the IT department; security is a shared responsibility among everyone at the university and any third-party vendors.
Business As Usual
Monitoring the effectiveness of your security controls is key. It’s not enough just to have controls in place; you must be actively using them. You can spend a lot of money putting new security controls in place, but if you’re not really deploying and using them across all of your cardholder data environment, there is little value to you. You should also ensure that all failures are detected and responded to quickly. Review the changes in your environment, both the technical and the organizational. These things are self-evident, but when the PCI Council reviewed breaches that have occurred over the years, it’s for these simple reasons that they’re occurring.
Like I mentioned, there’s very little change with the new standards. What has happened is they have made things more clear compared to before, so it’s easier to understand the intent of the requirements. Previously there were two columns: what the requirement was and what the testing for it was. Now they’ve provided a third column to act as a guide to understand what the reason was behind the requirement. The four merchant levels and the validation requirements also haven’t changed. What has changed are the SAQs, for sure.
What happened to SAQ A?
With your SAQ changes, you’ll need to be deciding, for example, are you going to attest under SAQ A or are you going to be attesting under the SAQ A-EP? You’ll need to decide that for a lot of your eCommerce applications. The SAQ A by definition is fully outsourced. If you go to the A-EP then, far more of the PCI Standards come into scope. It also means you may have more difficulty becoming compliant. For example, firewalls, logging, file integrity management and many more controls come into play. The difference is 14 controls in SAQ A vs. 139 in SAQ-EP.
Managing Your Service Providers
Regardless of the SAQ used for attesting compliance, far more is required of merchants in managing relationships with service providers. Previous versions of the PCI DSS mandated written agreements with service providers and establishing a process for how you engage with your service providers. Those also haven’t changed at all from 2.0 to 3.0. What has changed is that now you must make sure you have information about which PCI requirements are maintained by your service providers, and which ones are maintained by the merchant. For service providers, all the requirements are the same, but there has been a major new one put in place. They’re asking: “Do service providers acknowledge in writing that they are responsible for the security of cardholder data that they possess, or do they acknowledge the extent to which they can impact the security of the customer’s cardholder data environment?” What is required here is that the service providers must explicity state their responsibility of protecting cardholder data in their possession.
One university, which has been way ahead of the game, has been using pretty strong contract language for a couple of years. They’ve indicated that at all times the vendor will maintain compliance with the latest standard, they will supply written confirmation of their compliance to the merchant and that they acknowledge responsibility of the cardholder data under their control. The biggest thing in the contract language is where a service provider acknowledges that any and all costs related to a breach or intrusion under their control will be born by the service provider. Right now you should be reviewing and updating your contracts with service providers, even though 12.9 isn’t a requirement until June of next year. Go back and look at your issues and your requirements in 12.8 and make your decisions about how to approach this.
Protecting POS Devices
Another important part is protecting your point-of-sale service machines. There have been a number of attacks in the last few months on these devices. Requirement 9.9 is all about sound inventory management, but it may require colleges and universities to employ several new policies and procedures to protect these devices, such as maintaining an up-to-date inventory list, periodic inspections and personnel training. We need to prevent tampering, especially when switching out machines. This is another best practice that will be a requirement next year.
Mobile Payment Transactions
Mobile payments are another important issue. I’m not happy to report that there’s nothing new in 3.0 standards here. Everyone wants to know if they can use smart phones and tablets for taking payments coupled with “dongle” devices. First of all, these mobile devices are classified as a “Category 3” device. This means that because it’s not a single-use device and it can be used to surf the web and/or access email, that’s a problem. I know a lot of you are being pressured into using these devices from various groups on campus, because you want to be where the customer is and to sell things right away. Today these devices are not certified complaint by the PCI Council. There is an option with mobile cellular card terminals; a few are certified compliant, and you can check on the PCI Council website to make sure. Overall, version 3.0 is important, but it doesn’t really change how you comply or how QSA reviews will be conducted. It’s an improvement because there’s a lot of clarity to the previous requirements, which is beneficial to everyone in higher ed.
To watch this web seminar in its entirety, please go to: www.universitybusiness.com/ws032714