The Payment Card Industry Data Security Standard (PCI DSS) is being updated to version 3.0 starting in 2015—and that means some changes are coming to web host users. If you have a website, you have a web host and may be impacted. Under the PCI DSS, anyone that provides services online, or sites that utilize cardholder data, are being held to new standards. Of course, the full changes were already published earlier in 2014, but it’s easy to overlook. On January 1, 2015, all changes will be in effect.
In order to be ready by next week, online businesses need to hustle to make it happen (procrastination is, after all, a common Millennial work habit). According to one expert, Zac Cogswell of WiredTree, “While the changes to the PCI DSS requirements are not a whole-scale rewriting, there are changes to some requirements that may catch web hosting users unawares…web hosting users handling credit card data have responsibilities under the requirements as well.” You can go ahead and add that to your end of 2014 task list if your web host is US based or you do business in the US.
Playing By the Rules
Get the complete list of updates at the Summary of Changes, but know that just a few key features likely apply to the average web host user. Most importantly, any cardholder data businesses need to carefully document controls that are vendor-managed, as well as any suppliers of infrastructure. If you have an early 2015 audit scheduled and you haven’t started the transition, there’s not much time left. However, if you have an end of year audit on the books, January is the perfect time to get started.
The PCI DSS is designed to provide a framework of tools, support resources, specifications and tools so that businesses safely handle cardholder data every step of the way. It helps detect and prevent security breaches, which is becoming a hot topic post-Sony breach. The self-assessment questionnaires and charts offered by the PCI Security Standards Council can help any online business offer more security to their customers.
What’s on Tap
Manufacturers and device vendors benefit from the Council’s PIN Transaction Security guidelines, which offer requirements for all PIN terminals, also including POS systems, and encryption options. Software vendors can take advantage of the Validated Payment Applications list and Payment Application Data Security Standard. There are also numerous training sessions for individuals and firms to ensure compliance. From Payment Application Qualified Security Assessors to Internal Security Assessor programs of education, the options are limitless.
However, the biggest question organizations have—especially when they’re small—is why comply? It seems like tons of work and it can be confusing. It might not be legally required of your organization, but it’s important. It results in secure systems and more trust between your business and your customers. This means your target audience has more confidence when doing business with your organization—which leads to loyal customers and positive word of mouth.
You’ll also enjoy a better reputation, better networking with partners you want to do business with, and of course prevents theft of data. It can be the foundation for your corporate security campaign, and ultimately helps you comply with other regulations that might pop up in the future for your business (such as HIPAA).