PCI 3.0 Compliance and Shared Responsibility
- Jan 19, 2015
- By Fusion Marketing
Data breaches dominated headlines in 2014. In that year, according to the Open Security Foundation, 3 out of 10 of the all-time worst security breaches happened: 173 million records from the NYC Taxi & Limousine Commission; 145 million records at eBay; and 104 million records from the Korea Credit Bureau were compromised in some fashion. In addition, cybersecurity attacks on numerous high-profile companies made it clear that no industry went unscathed.
It wasn’t just big companies hit hard in 2014. According to a recent study conducted by the Ponemon Institute, 43% of organizations experienced a data breach involving sensitive or confidential customer or business information in the past 2 years. Now more than ever, the Payment Card Industry Data Security Standard—currently in its most recent iteration as PCI DSS 3.0—matters.
A Shift in Culture Toward Ongoing Security Best Practices
Let’s take a look at the key changes in PCI 3.0.
PCI DSS 3.0 emphasizes implementing best practices, and it promises to take retailers to a new level of threat awareness, prevention and remediation. By increasing security standards and making security best practices a part of the culture, businesses can improve the effectiveness of their security controls, maintain a PCI compliant IT environment, and safeguard customer data.
Changes in PCI DSS 3.0 can be classified into four main categories:
- Increased Awareness & Education: PCI 3.0 includes recommendations on best practices for implementation and encourages education and training, specifically in the areas of password management and awareness training.
- Greater Flexibility: PCI 3.0 allows merchants to understand the intent behind each requirement and offers logical alternatives. Some solutions have multiple options to achieve the same level of security and compliance. PCI 3.0 offers this option of flexibility.
- Security as a Shared Responsibility: Shared responsibility for security is outlined and guidelines are provided to show exactly where security responsibilities should fall when multiple organizations are responsible for different parts of the network. A Third-Party Security Assurance Information Supplement is designed to help merchants and service providers better understand their respective roles.
- Monitor Controls Continuously: Periodic reviews of the network and routine audits ensure that issues and failures are addressed. This reinforces the idea that security reviews should be ongoing.
Fusion Connect PCI Compliance Services can help with all four areas. Our PCI services include a network assessment, continuous network monitoring and management, and compliance assistance.
A PCI Compliance Success Story
Established in 1923 in Rockland, Massachusetts, Tedeschi Food Shops, Inc. is one of New England’s most trusted family-owned and operated convenience store chains, with more than $600 million in annual revenue. The company operates 191 convenience store locations in both Massachusetts and New Hampshire.
Tedeschi realized it had to make changes for business reasons and compliance reasons, especially when it came to network segmentation. Many retailers struggle with this, as it entails physically separating PCI assets from non-PCI ones. “We had older devices in some locations that didn’t meet these standards,” says Doug New, Chief Information Officer, Tedeschi Food Shops. “But Fusion Connect came in and made the necessary router improvements and other adjustments to enable compliance.”
Work with Experts
As data threats continue, businesses are turning to third-party service providers to help manage network and data security and compliance. Relying on third-party service providers to assist with managing, securing, and processing cardholder data has made compliance more of a shared responsibility.
Even if a merchant hires third-party service providers, the merchant ultimately remains responsible for information security and must ensure that employees and vendors follow policies and procedures that adhere to all service level agreements and contractual obligations.
Working with a service provider that specializes in PCI 3.0, such as Fusion Connect, can reduce the number of security headaches that retailers must deal with. Retailers don’t have to hire and continually train experts in network security or PCI, because Fusion Connect security experts continuously monitor (24/7) and analyze our customers’ networks. In fact, Fusion Connect is currently responsible for network monitoring at over 80,000 customer locations. Working with our fully trained network security experts enables our customers’ IT departments to focus on other projects core to their business.
Perhaps you are among the 70% of businesses whose IT organizations are understaffed. That doesn’t mean you have to be the next data breach victim to make headlines.
Understanding PCI 3.0 standards is crucial to ensuring the security of cardholder data, and the experts at Fusion Connect are ready to help. To learn more, read about Fusion Connect’s PCI Compliance Services, or call us today at 866-300-0749.