The new v3.0 PCI Data Security Standard is becoming a reality for merchants, with Merchant Services Providers sending letters detailing monthly fines to be imposed for non-compliance.
If a security breach occurs and a subsequent investigation shows that the merchant is not compliant (either by not completing the self-assessment questionnaire or by not following the requirements within the questionnaire on an ongoing basis), heavy fines will be levied.
And PCI DSS is being enforced and policed. The major card brands have systems in place to report suspected data security breaches, they deploy PCI Forensic Officers (PFOs) and impose fines depending on the outcome of the subsequent investigation.
Fines being issued are as follows:
- MasterCard's quarterly fines for non-compliance range from $25,000 for a first violation to $200,000 for a fourth violation for tier 1 and 2 retailers. Level 3 fines range from $10,000 to $80,000
- Visa’s monthly fines are $25,000 for tier 1 retailers and $5,000 for tier 2
With 71% of data breaches involving user devices in 2013 , there is also a renewed focus on the point of interaction and its vulnerability.
New kid on the block
On Wednesday 27th August 2014 PCI recommended that merchants use Point to Point Encryption (P2PE) and issued comprehensive guidelines.
P2PE stands for Point to Point Encryption and is designed to ensure that customer data is secure from the point at which a customer inserts their payment card until it reaches the acquiring bank. P2PE is not compulsory but it eliminates the opportunity for data theft which has been exploited in recent scandals at Target and Home Depot, where data is decrypted for a tiny amount of time while on the retailer’s network and then re-encrypted for passing to the acquiring bank.
In the US market, where the 2015 EMV requirement means that a large portion of retailers will need to replace their payment machines, it makes sense to consider replacing with payment machines which are EMV enabled and P2PE validated, killing two birds with one stone.
PCI DSS is a cost to businesses. Retailers must complete an annual SAQ, undertake quarterly vulnerability scans, scan their systems, train their employees, implement policies, and handle network updates. It’s a lot of work.
P2PE greatly reduces the PCI DSS burden for merchants by reducing the scope of requirements. Retailers no longer hold any customer data, if they adopt a Council certified P2PE solution. Customer card data is encrypted ‘at swipe’ and merchants have no access to decryption keys. This means that the majority of the burden of PCI DSS compliance is eliminated. The effort required to comply with PCI DSS reduces to ensuring the payment machine and the network are physically secure and completing an annual 18-question PCI Self-Assessment Questionnaire.
What about payment machine stands like Tailwind’s?
P2PE is much more explicit than the PCI Data Security Standards in terms of securing the POI (point of interaction). Point 9.9 of the PCI DSS Requirements and Security Assessment Procedures document states that merchants must protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
However, PCI P2PE Solution Requirements and Testing Procedures talks specifically about securing or fixing devices. The advice is definitive: a certified PCI P2PE solution requires devices to be physically secured to prevent unauthorised removal or substitution.
A supplementary document to PCI DSS, Skimming Prevention – Best Practices for Merchants states:
"Secure all terminals to the physical structure of the payment location when possible."
"Secure terminal wiring and communication lines with conduit or within physical structures of the facility when allowed or required by local building codes. Limit exposed terminal cable and wire or non-secure channels for communication infrastructure when possible. So, to achieve the best possible security standards for customer data and to achieve P2PE validation, physically securing Point of Interaction is vital and cabling needs to be channelled and invisible to the observer."
Businesses looking at the bigger picture of data security, have a number of points to consider, not least of which is customer confidence. The full impact of the Home Depot breach is still under investigation but there is no doubt that confidence has been lost and there will be a knock on effect on sales. For every retailer a breach offers the risk of heavy fines combined with loss of business: a sobering combination.
When you combine these points with the enforcement of PCI DSS it creates a strong case for taking the security of cardholder data very seriously.
It makes a lot of sense for businesses to ensure PED’s are mounted securely, EMV enabled and P2PE certified.
For more information on certified P2PE solutions see:
Useful links, references: