Are You Ready?: New PCI Security Rules Will Require Changes
Company Added
Company Removed
Apply to Request List

Are You Ready?: New PCI Security Rules Will Require Changes

Are You Ready?: New PCI Security Rules Will Require Changes

Hopefully, you've heard that the Payment Card Industry Data Security Standard (PCI DSS) has changed... again. In November 2013, the PCI Council released PCI DSS version 3.0 and set the compliance deadline for January 2015. With only a few busy months remaining, many businesses (including franchisees) aren't even close to compliance with the new standard.

Why change the standard? Changing technologies often improve business efficiency, but aren't bulletproof to the weaknesses consistently found and exploited by hackers. New security regulations like PCI 3.0 are released to protect new technologies against recent hacking trends.

In my opinion, Requirement 4.1 is the biggest PCI 3.0 change for franchisees. Many franchises and chains use satellite communications to connect locations. According to the newest version, it's no longer acceptable to rely on the link provider's system security. Instead, it's your responsibility to encrypt satellite communications containing cardholder data so it remains secure.

If your franchisor hasn't already asked you to begin implementing PCI 3.0 changes, they (or your bank) probably will soon. Here are three themes I've seen while reviewing additions to the newest PCI standard.

1) Secure sensitive data

Security clearances aren't only for high-tech companies and weapons manufacturers. For example, restricting access to the administrative portions of POS systems or hotel management applications can lower the chance of malware entering a system. PCI 3.0 digs deep into employee restrictions to safeguard access to customer data with a handful of new requirements.

  • Requirement 5.3 reminds us that anti-virus protection shouldn't be able to be altered without managerial approval. If anyone can turn it off, they could leave a business vulnerable to malware entering the system.
  • Requirement 7.1.1 requires a role-based access control system. This means employee access to card data and systems should be granted only on a need-to-know basis.
  • Requirement 9.3 is all about controlling physical access to sensitive areas. If an employee's job doesn't require them to have access, make sure they don't have access.

2) Review, revise, repeat

From my security experience, many breaches are caused in part by a lack of process review. Errors can easily occur because of ignorance, poor planning, lack of attention, or timing and can lead to security decay. The PCI Council definitely thought that double-checking software, processes, and devices was an important part of a secure business environment.

  • Requirement 9.9.2 ensures merchants regularly examine POS devices to make sure they haven't been tampered with. This is especially important in the case of POS systems left out in the open and unattended for a lengthy period, such as gas station terminals.
  • Requirement 10.6.2 states the importance of reviewing logs of all system components. Periodically reviewing logs helps determine if suspicious activity is occurring.

3) Document, document, document

Documentation is a four-letter word to most franchisees. Who wants to devote precious resources to documentation? Well, the upsides are significant. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized. That's probably why PCI version 3.0 has so many new requirements about documentation.

  • Requirement 1.1.3 asks merchants to create a cardholder data-flow diagram to show how cardholder data enters and flows through the network.
  • Requirement 2.4 requires a document that lists all "in-scope devices" and their function (this means every POS system, computer, mobile device, etc.).
  • Requirement 9.9.1 is very similar to 2.4 and requires merchants to maintain an up-to-date list of all devices including physical location, serial numbers, and make/model.
  • Requirement 11.1.1 asks merchants to maintain a complete list of authorized wireless access points and justify why they are needed in the business environment.
  • Requirement 12.8.5 requests two lists:1) the PCI requirements your third-party service provider meets, and 2) a list of PCI requirements your business is required to meet. This requirement is an attempt to avoid miscommunication between third parties and merchants on who is responsible for which PCI requirements. In a franchisee's case, it would probably be beneficial to have a similar list explaining the security responsibilities of both you and your franchisor.


Even though I didn't go over every change from PCI 2.0 to PCI 3.0, I hope you can take what you've learned and begin to apply it in your security processes today. Start examining your physical devices for tampering, begin your list of wireless access points, and instigate company-wide role-based employee access. I promise you'll be more secure. Not to mention, close to compliance by the oncoming deadline.

Giles Witherspoon-Boyd, PCIP, is enterprise account manager at SecurityMetrics and assists businesses in defining their PCI DSS scope. For more information about SecurityMetrics, visit

Published: November 21st, 2014

Share this Feature

Potbelly Sandwich Works
Potbelly Sandwich Works
Potbelly Sandwich Works

Recommended Reading:


comments powered by Disqus
The Human Bean



Multi-Unit Franchisee Magazine: Issue 4, 2014
Multi-Unit Franchisee Magazine: Issue 4, 2014

Hungry Howie's Pizza
Caesar's Forum, Las Vegas
MAR 25-28TH, 2025

At LeafSpring Schools, we differentiate ourselves by a proven approach to early childhood education, validated by more than 35 years of successful...
Cash Required:
Request Info
The hottest new franchise is here (literally 150°). Perspire has developed, formulated and tested the most superior infrared sauna studio model...
Request Info

Share This Page

Subscribe to our Newsletters