5 merchant cybersecurity steps become effective July 1

June 1, 2015

WASHINGTON (6/1/15)--Five merchant data security best practices outlined in a 2013 report will become requirements starting July 1. The standards are part of version 3.0 of the PCI Data Security Standard, and address point-of-sale (POS) vulnerabilities.

While the practices do indicate a focus on merchant responsibilities to keep consumer data safe, which CUNA supports, they are not as far-reaching as the strict merchant standards CUNA has advocated for.

The best practices that will become requirements July 1 are:

  • Merchants should secure authentication and online session management to help prevent the theft of online credentials;
  • Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
  • Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
  • Merchants should regularly inspect POS devices to ensure they have not been "swapped" or tampered with to skim or collect card details; and
  • Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.

“While any additional effort to increase protection of consumer data is a positive step, these new requirements are just a fraction of what’s needed to protect consumers, credit unions and other financial institutions from the costs of data breaches they didn’t cause,” said Elizabeth Eurgubian, CUNA’s deputy chief advocacy officer. “We will continue to push for data breach legislation that would put a strong standard in place where there currently is not one.”

CUNA has outlined to members of Congress the guiding principles that should be present in any data breach legislation--most importantly the use of Gramm-Leach-Bliley Act-like standards for any entity that handles consumer information.

Several lawmakers and witnesses expressed their support of those standards being applied universally in a recent House Financial Services Committee hearing.

 CUNA supports the Data Security Act of 2015 (S. 961/H.R. 2205), which would set a strong, national security standard for all companies that handle consumer information.