Some changes were made to the PCI DSS mandate on Jan. 1, 2015. It’s really important that business owners have a clear understanding of these changes, especially because these changes would have dramatic impacts on many businesses and vendors. It also becomes important to understand these PCI mandate changes because of the increasing number of security breaches happening due to poor security measures. Let’s take a closer look at the three changes…
59 additional questions in the SAQ
59 additional questions now appear in the 3.1 version of the PCI DSS Self-Assessment Questionnaire for Internet-connected businesses. These pertain mostly to network and network security and answering them would require good technical knowledge as regards network security and also as regards segmenting and isolating card data from all other internet traffic. Thus, understanding how to answer these PCI SAQ questions would be very helpful to all business owners who are accountable for cardholder security and compliance.
New definition of Service Provider
The PCI DSS 3.1 now has a new definition of what a “service provider” is. As per the new definition, a “service provider” would now mean any company that provides service(s) that could control or impact the security of cardholder data. Earlier it included only those companies that process, store and transmit cardholder data on behalf of a merchant. Thus now even those who provide network-related services to a business that deals with cardholder’s data, especially those who help businesses set up, configure or change networks, including IT guys, payment system vendors, security camera companies etc could end up being liable for data breaches and cardholder’s data.
Proper network segmentation now enforced
Though companies were required to segment payment traffic from all other Internet traffic, as per PCI DSS 2.0, many companies would not do so, even while claiming to have done so, on their Self-Assessment Questionnaire. PCI DSS 3.1 seeks to prevent data breaches by enforcing proper segmentation. Now merchants have to attest in the SAQ exactly how they are segmenting payment traffic.
Many business today outsource network security and PCI compliance to PCI Level 1-Certified Service Providers that specialize in securing small and medium-sized business networks. Thus things become easier as these service providers would reconfigure existing networks to be secure and PCI compliant. They do this by sending all traffic through a pre-configured security appliance installed on the network. They would also lock down cardholder data, monitor and manage the network, and would ensure PCI compliance as they too are responsible if any data breaches happen.