Go to:

April 2019
< Mar May >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Five Merchant Cybersecurity Steps Become Requirements July 1
Monday, June 1, 2015 6:35 AM

Effective July 1, five merchant data security best practices outlined in a 2013 report will become requirements. The standards are part of version 3.0 of the PCI Data Security Standard and address point-of-sale (POS) vulnerabilities. While the practices do indicate a focus on merchant responsibilities to keep consumer data safe, they are not as far-reaching as the strict merchant standards CUNA has advocated for.

The best practices that will become requirements July 1 are:

  • Merchants should secure authentication and online session management to help prevent the theft of online credentials;
  • Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
  • Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
  • Merchants should regularly inspect POS devices to ensure they have not been "swapped" or tampered with to skim or collect card details; and
  • Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.

CUNA has outlined to members of Congress the guiding principles that should be present in any data breach legislation—most importantly the use of Gramm-Leach-Bliley Act. Several lawmakers and witnesses expressed their support of those standards being applied universally in a recent House Financial Services Committee hearing.

CUNA supports the Data Security Act of 2015 (S. 961/H.R. 2205), which would set a strong, national security standard for all companies that handle consumer information.