By Jeff Sanchez, Managing Director
IT Security and Privacy
Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS 3.2), the information security standard that guides how entities process, hold and transmit cardholder data, comes into effect today, Nov. 1, 2016. In a post last month we discussed the details and implications of the new standard. Here, we want to point out one change of the new standard that has gone largely unnoticed.
This change affects online order merchants that redirect customers to third-party payment pages to avoid collecting, processing, or storing credit card data on their own servers.
Aimed at addressing known vulnerabilities on the merchant side of the redirect process — including the ability for hackers to change the redirect and therefore to capture credit card data— the change does not represent new requirements. Rather, it consists of adding six controls drawn from current aspects of Requirement 2 (changing default passwords and implementing an incident response plan) and Requirement 8 (unique user ID and strong password, disabling access for terminated users, and not using group or shared passwords) to the self-assessment questionnaire (SAQ A), which much be completed annually.
E-commerce merchants that redirect customers from their website to a third party for payment processing will need to validate these requirements for the webserver upon which the redirection mechanism is located.
MOTO (mail order/telephone order) or e-commerce merchants that have completely outsourced all operations may not have any systems in scope for SAQ A, and in these circumstances these requirements could be considered “not applicable.” If a requirement is deemed not applicable, the merchant should select the “N/A” option for that requirement, and complete an “Explanation of Non-Applicability” worksheet for each “N/A” entry.
As controls go, these are pretty light duty, certainly much lighter than the hundreds of controls required of merchants that collect and hold credit card information. They are easy to address, and these are things that merchants should probably already be doing anyway. We recommend immediate adoption.