Does your business transmit, receive, or store credit card information? Are you aware that your company needs to be PCI-compliant whether or not your vendors are? Many companies are not PCI-compliant, which suggests they are unaware of the latest Payment Card Industry Data Security Standards (PCI DSS) – Requirements and Security Assessment Procedures Version 3.1 – issued in April 2015.
Version 3.1 includes 114 modifications to the previous requirements and 16 new requirements. Below are two of the more significant new requirements:
Because of inherent weaknesses, Secure Sockets Layer (SSL) and early versions of Transfer Layer Security (TLS) are no longer considered acceptable for data protection. All new implementations must now use TLS 1.2, and organizations and businesses currently using the other protocols must have plans to migrate to TLS 1.2 by June 30, 2016.
This is a requirement specifically for service providers. Vendors must provide, – and merchants must obtain, – written acknowledgement that the vendors are responsible for the security of cardholder data they possess or otherwise store, process, or transmit on behalf of their customer, or to the extent that they could impact the security of the customer’s CHD environment. This became a requirement as of July 1, 2015.
One additional requirement that is not stated in Version 3.1 is instead mandated by credit card brands such as Visa, Mastercard, AMEX and Discovery. This requirement states that merchants must accept chip-and-PIN cards by October 1, 2015. At that time, liability shift for fraud can occur. For example, if a merchant has not deployed payment terminals with chip-and-PIN technology and a credit card with a chip is used in a fraudulent transaction, the merchant will be responsible for the majority of the fraud loss.
On the other hand, if the merchant can accept chip-and-PIN technology and the card issuer has not updated its cards to accept chip-and-PIN, the issuer will be responsible for the majority of the loss from fraud. The rule of thumb is this: The party with the lesser technology will always bear the weight of the fraud loss.
If you want more information on how to comply with PCI DSS or about Version 3’s modifications or new requirements, contact LaPorte CPAs & Business Advisors Senior Vincent Maggiore, CISA, at [email protected].