PCI DSS applies to manufacturers, software developers, merchants, and processors, but a great deal of the responsibility, in my opinion, falls on the merchants to make sure that other members in this chain are up-to-date in their PCI DSS.
The merchant is the one who chooses the manufacturer or developer, accepts the credit card, and owns the eCommerce website. The PCI Compliance Guide states, “Merchants are prohibited from implementing new technology that relies on SSL or early TLS; and SSL and early TLS are no longer considered a best practice for strong encryption.” As I previously stated, the merchants have to be aware. One problem is that merchants don’t usually understand Secure Socket Layer (SSL.)
In the past, merchants with eCommerce sites, have been required to fill in a few boxes and check off a few items to be considered “safe.” Compliance was about taking care of their own requirements and then passing the responsibility off to a credit card gateway. Now with the most recent 3.1 version issued in April 2015 and having a full implementation deadline in June 2018 (Updated Date,)
the group has to work together - manufacturers, software developers, merchants, and processors – to create a safe structure and produce evidence that each member meets standards. The weakest link can bring down the whole house. Evidence of compliance is key.
PCI 3.1 is meant to be throughout your organization, not just in a few minimalist areas. CloudFlare writes, “PCI 3.1 was designed to integrate into the everyday operations of a compliant organization. This integration ranges from installing itself in critical operational processes, to ensuring that PCI compliance is an integral part of the Software Development Lifecycle (SDLC) that the company uses to build its products. PCI is present at every level of the operation.”
The most current timeline looks like this:
In 2015 PCI DSS 3.1 is issued - Starting April 15, 2015 new security controls within eCommerce websites are effective immediately for new technology
In 2016 PCI DSS 3.1 requires that old technology be updated before June 30, 2018 (Updated Date)
as per the new standards
Take a look at PayPal’s announcement
of meeting the newest PCI standards. As June approaches, we should be seeing more and more discussion of companies being 3.1 compliant.