The Payment Card Industry Data Security Standard, or PCI DSS, is a set of guidelines aimed at protecting consumers who use credit cards, debit cards, gift cards, e-currency, and so on. First instituted in 2004, the standard was updated by the Payment Card Industry Security Standards Council in November 2013. PCI DSS 3.0 does not add many new compliance requirementsso much as it clarifies and strengthens existing guidelines. Nevertheless, the update does impact vendor risk management efforts, and your company must take steps to ensure third parties are adhering to the standard and doing their utmost to keep your customers’ credit card data secure.
Getting Serious About the Pentest
New penetration testing requirements under PCI DSS 3.0 may be the biggest concern for vendor risk managers. Penetration testing, also known as the pentest, simulates attacks on a merchant’s systems to see how secure the networks housing customer financial data are. The PCI update still mandates quarterly assessments but now requires the testing to be more rigorous. Merchants must also follow an approved methodology to prove its consumer payment data is segmented apart from other systems.
The latest PCI DSS 3.0 standard will be a challenge for some of your vendors, many of which don’t internally conduct penetration testing. A common practice is for companies to outsource their pentests and as such these 3rd parties may not follow a formal methodology. You would expect testing vendors’ costs to increase as they implement related changes and effectively pass these on in contract variations to maintain conformance—or they may cut corners.
Penetration testing is important for vendor and parent company alike—after all, knowing where a third party is vulnerable will direct your vendor risk management efforts—so insisting vendors are up to speed on the new standard is imperative. The pentest requirements of PCI DSS 3.0 are only a best practice until June 2015, but encouraging them before then will put your company and your vendors ahead of the curve.
Ensuring third parties are compliant with PCI testing guidelines requires active vendor risk management. You simply can’t rely on your vendors saying they are compliant and accepting that answer—even well-intentioned third parties might not realize they aren’t following the standards. Periodic risk screenings, updated to include the newest threats and, especially, PCI DSS 3.0, should delve into a vendor’s security measures to reveal its level of compliance. Furthermore, you should know how your vendors are managing their subcontractors, including ones that handle payment data and ones that perform penetration testing.
Vendor risk management should not be an obstacle to PCI-mandated testing, but rather, a complement. More than in previous versions of the PCI DSS, the latest iteration in 3.0 requires a shared responsibility between your company and your vendors to achieve compliance.
Have you asked yourself, how serious do my vendors take PCI DSS 3.0 compliance?