make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

What's New in PCI Version 3.0: POS Vendors and Passwords

12/30/2014  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

On January 1, 2015, Version 3.0 of the PCI Data Security Standards becomes the mandatory compliance standard for any vendor that processes, stores, or transmits payment card data. For the duration of 2014, the new Version 3.0 rules were optional – vendors could choose to demonstrate compliance against Version 2.0 instead. Now that the changes are coming into full force, it’s important for vendors to understand their new responsibilities. That’s why we’re taking the time to explore some of the most significant new rules. In a previous post in this series, we discussed a new control designed to prevent scams at Point of Sale (POS) systems. Today, we’re going to talk about another change related to POS systems: PCI Requirement 8.5.1. And this rule impacts third parties that provide support for merchants.

Vendors and vulnerabilities

A lot of organizations have POS systems running on software written by another vendor. These merchants often have a contract with the vendor for technical support, upgrades, and related services. Generally, when the vendor provides support, they send a technician on-site to access the Point of Sale system through a user ID and password that only the vendor knows. But most vendors serve a large number of clients, and for the sake of convenience, many have used the same ID and password for every system and every client. You can imagine the danger here. If Client A is compromised – a hacker captures the system’s passwords, for example – then suddenly every other client of the vendor is at risk as well.

Compliance strategies

In order to address this problem, the PCI Security Standards Council added Requirement 8.5.1. This new rule stipulates that vendors and service providers must use unique security credentials for every customer’s systems. It is no longer acceptable to use shared usernames and passwords. The PCI Council recognized that this is a major change for many service providers, requiring a good deal of work for those with many clients and systems to adjust, so the new rule is considered a best practice until July 2015. That means organizations with reporting dates before July are not required to demonstrate compliance with the new rule – but those who report afterward are responsible for it. For service providers, the change will mean that they must undergo an audit to demonstrate compliance. What about merchants? We would advise merchants to drive implementation of this new security rule by specifying that their systems should have unique security credentials in their contract language with the service provider. This gives merchants an extra level of reassurance, as well as something to point to when demonstrating compliance themselves. Ready to learn more? Be sure to download the free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. PCI_CTA-1

Posted in: PCI Compliance