The newest version of the Payment Card Industry data security standard (PCI-DSS) went into effect on January 1, 2014. This means that all merchants must comply with these standards by October of 2015. The changes in PCI DSS 3.0 are detailed on the PCI Security Standards Council Website, but there are three major changes going into effect that will influence how small and medium size businesses interact with customers that are worth noting.
59 More Problems
Every year, merchants must fill out the PCI data-security standard self-assessment questionnaire (SAQ). This survey helps merchants and providers evaluate their level of compliance with the PCI-DSS. Now the new version of the questionnaire features 59 additional questions that are highly technical, making the survey a whopping 139 questions. The new questions are an additional complication that demands high technical knowledge and understanding of complex security issues. To complete the questions, merchants must be able to accurately answer questions specifically related to their network security.
The Definition of Service Provider
The definition of service provider has been expanded. Previously, a service provider was any business entity that was not a payment brand and was directly involved in the storage, processing, or transmission of cardholder data for another entity. The definition has now expanded to include any company that provides a service that controls or impacts cardholder security. This means that anyone who sets up, changes, or configures a merchant’s business network is liable in the event of a data breach. Unfortunately, most of these people or businesses lack the expertise to construct an ironclad security network that can keep away sophisticated hackers. But the good news is that if the IT guy or payments-system vendor do possess this expertise, this change won’t affect the merchant.
Proof Network Segmentation
Previously, PCI compliance required merchants to segment their networks by splitting payment traffic from daily business network traffic. However, authorities believe that many merchants are not truthful about their network segmentation, so PCI-DSS 3.0 requires merchants to relay exactly how they are segmenting their traffic.
New PCI compliance rules can be overwhelming for high risk merchant account owners who just want to run a successful business. Contact eMerchantBroker.com to manage your account. Our experienced payment processors understand the new rules and can make sure your business is compliant.