The PCI compliance scope also involves any third-party that could affect the security of, or handles card data on the behalf of a merchant. It could be a datacenter that hosts the servers, a managed service provider that controls the firewalls, or a support service with access to a database full of credit card data.
Since service providers don't directly handle credit card data themselves, they may try to disclaim any and all responsibility for PCI compliance, leaving the merchant in an untenable position. Even if a third-party service provider controls some critical aspects of your PCI compliance, that party won't take responsibility for potential consequences should your customers be breached.
To address finger pointing in the aftermath of a breach, PCI DSS 3.0 has new requirements for merchants and service providers. Both parties are now required to formally document who is responsible for which PCI requirements (12.8.5). Additionally, service providers must acknowledge their responsibility for PCI compliance (12.9), effective July 2015.
Despite these requirements, getting some third parties to agree to responsibility may be akin to pulling teeth.
Another major concern is tampering with physical point-of-sale devices. Effective July 2015, a new PCI requirement (9.9) calls for an inventory of devices and regular inspections to detect tampering.
Tampering is often a problem at gas station pumps, ATM machines and manned cash registers with checkout terminal PIN pads because skimmers and hidden cameras can be installed on devices. Aldi Supermarkets, Michaels Craft Stores and Barnes & Noble have all suffered breaches as a result of tampering.
This new requirement can be misinterpreted to mean that point-of-sale devices need to be locked to an immovable object. Locking the device is not required; merchants need to focus on inspecting the devices for signs of tampering regardless of whether or not they are locked.
The January 2015 deadline for assessing under version 3.0 is around the corner and although some of these requirements do not go into effect until July 2015, merchants need to understand the definition of scope and segmentation, begin working with service providers to define responsibilities and potentially alter contracts, and implement controls for preventing tampering and skimming at the point-of-sale devices.
Merchants should keep in mind, the rest of the PCI DSS 3.0 requirements will be validated during their first SAQ or QSA assessment in 2015, however it's best to start addressing the necessary changes immediately. Merchants can consult with a QSA company or attend PCI-run training class to explain the requirements.
At the end of the day, merchants need compliance across all systems, not just the one that directly handles credit card data, or they could be the next company announcing a security breach.
Sign up for CIO Asia eNewsletters.