Fri, Jun 5, 2015
That's because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses, says Don Brooks, senior security engineer at security and forensics firm Trustwave.
The best practices, which were included when PCI-DSS version 3.0 was released in November 2013, state:
- Merchants should secure authentication and online session management, to help prevent the theft of online credentials;
- Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
- Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
- Merchants should regularly inspect POS devices to ensure they have not been "swapped" or tampered with to skim or collect card details;
- Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.
Source: CUinfo Security