Let's talk about online payments
On January 1st 2014 the PCI Security Standards Council (SSC) released revision 3.0 of the Data Security Standard. To many people it meant a review of an already long and complicated series of regulations and rules that had to be followed to take card payments. Upon reading the reasons for the upgrade of the standard, now entering its 10th year, it quickly becomes clear these changes are pragmatic and sensible.
The majority of the changes are made in the form of clarifications to wording; making the documentation easier to understand. There are also numerous examples, which illustrate how the standard may be applied. The PCI SSC is very clear that its role is to help organisations focus on security as part of business as usual. This drive to increase awareness and education is prevalent throughout the update.
There is still a need for this to be highlighted. The majority of security breaches are the result of an internal policy issue; weak passwords and phishing attacks are still top of the list. In fact a study commissioned by Verizon found that of all major breaches in 2012, “76% were directly a result of weak credentials, which allowed authentication based attacks.”
The changes made to Requirement 8 address the user responsibility and their organisation’s approach to authentication control. There are also new requirements for service providers to have clearly defined, audited policies on access control into solutions. This brings us to another important aspect of PCI DSS 3.0: The idea of “Security as a Shared Responsibility”.
This offers guidance to businesses that outsource some of their payment infrastructure. It has particular relevance to online services and e-commerce websites. This principle of security as a shared responsibility has been introduced to address a common failing in the past – according to PCI SSC in 63% of investigations into security deficiency, configurations easily exploited by hackers were found in environments where a 3rd party was involved.
This had lead to updates to Requirement 12, particularly to 12.8.5, that requires clear documentation about who is responsible for specific areas of compliance. In addition the standard includes a new point, 12.9, directed solely at service providers that will come into effect on the 1st July 2015. It makes the integration of outsourced parties more transparent and manageable.
Despite the new language and updates to requirements, the core of the standard remains the same. If you store or transmit cardholder data then you need to address compliance. The option of ensuring that your website is completely out of scope (and therefore zero risk) is still a real one. Many payment providers offer a fully outsourced payment processing method, and if you are in any doubt at all, they should be the first point of contact.
The cost of hiring a security professional may still be prohibitive to many smaller companies, so a strong relationship with service providers is vital. PEER1 hosting assists with compliance by using everyday language and a secure service offering. Our managed hosting facilities are all PCI DSS audited to ensure the right level of physical security for your application.
To take a detailed look the changes to PCI DSS read: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf
To hear more from Mike and to discover the performance benefits hosting can bring to your site come along to our Seminar: Magento Maximised on the 4th March. Register Here.