Are you ready for the new PCI standards?

Back in 2005, there was a massive increase in reported credit card data breaches with the now infamous Card Systems breach alone accounting for over 40 million credit card numbers being exposed to the hackers and criminals.

In response to those early attacks, the major card brands, which include Visa, MasterCard, American Express, Discover Financial, and JCB International, merged their data security requirements for acquirers and merchants into a common standard called the Payment Card Industry (PCI) Data Security Standard (PCI DSS).

The trend in credit card theft has only been exacerbated by the fact that credit card theft has now become a target for organised crime.

In 2013, US retailer Target suffered a security breach where 40 million credit card numbers were stolen, along with 70 million other personal records including names, dates of birth and address details. And those breaches are only the ones we hear about.

And the problem continues with more sophisticated attacks. In response, the PCI Security Standards Council has issued a new set of compliance rules (v3.0 and a subsequent minor release v3.1) which came into effect on 1 July 2015. The result of these changes is the addition of over 85 new controls that must be adhered to, plus a more prescriptive approach. This can make the annual PCI audit a much more intensive and daunting exercise than it has been previously.

During 2014, it was estimated that only one in 10 organisations were fully PCI compliant.

In terms of security testing and scanning, something that falls under Requirement 11 of the PCI standard, many organisations fell short and were not able to run their quarterly vulnerability scans effectively. This is an area where an external compliance organisation can make a huge contribution ensuring compliance.

Every single company that had a data breach was not PCI compliant in some way with PCI requirement 10, which requires having continuous visibility into user activities to detect fraud. The takeaway from this is that tracking and monitoring are no longer optional activities — they are a requirement.

Furthermore, while the requirement for internal and external penetration tests have been with us since the early versions of the PCI requirements, additional requirements must be met subsequent to 1 July this year. These tests must be performed using industry-accepted methodologies both internally and externally. The penetration testing must also be carried out at least once per year.

Because it's the banks that hold the direct relationship with the merchant community, and not the card schemes, it is the responsibility of the acquiring bank to ensure compliance of their merchants and processors according to the PCI standard. This means that Australian banks are now charged with ensuring their large populations of credit card merchants comply with the PCI standard.

If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, card brands like Visa or MasterCard may fine the acquiring bank, who in turn may pass on the cost to the merchant and impose restrictions on the merchant, or permanently prohibit the merchant from participating in Visa or MasterCard programs.

Significant fines (up to $500,000) can be levied on any merchant or service provider that is compromised and not compliant at the time of an incident.

Chris Williams is Chief Executive Officer at Securus Global, responsible for a number of online security segments including penetration testing, threat and vulnerability management, PCI auditing as well as governance, risk and compliance.