In 2005, CardSystems Solutions, which was a top payment processor for credit cards such as Visa, MasterCard, and American Express, was hacked. The consequences were enormous: 40 million credit card accounts were exposed in the cyber-attack, and CardSystems Solutions was bought out by the end of the year.

You’ve probably never heard of CardSystems Solutions, but Visa, MasterCard and American Express got your attention. Even though a vendor may be responsible for the data breach, the brand name is the one that suffers the public relations disaster.

Since 2005, cyber-attacks have only become more sophisticated. More than ever, companies and their vendors must work together to protect cardholder data and achieve compliance to the newest iteration of the Payment Card Industry Data Security Standard. Here are five ways PCI DSS 3.0 makes security a shared responsibility:

1. PCI DSS 3.0 compliance is not optional.

Any business handling cardholder data must be PCI compliant or risk fines from the major credit card companies following a breach. However, the financial fallout goes beyond penalties: Enterprises may find themselves spending money to clean up a PR nightmare. Proactive vendor risk management can stave off liabilities before they become breaches.

2. Neither are periodic vendor assessments.

Periodic vendor assessments can help companies know what they don’t know. With the CardSystems example, the organization had been audited and found to be standards-compliant in 2004 (the PCI hadn’t quite been introduced then), but an investigation after the breach found it wasn’t in 2005. Assessments must be thorough as well, partly to ensure a vendor that says it’s compliant actually is. Following PCI DSS 3.0 is beneficial to merchants, but some third parties may think they are following the standards but in fact aren’t. Vendors should want to know what they can do better to protect cardholder data.

3. Responsibilities must be defined.

A new requirement of PCI DSS 3.0 mandates a clear delineation of what party (the company or its vendor) is responsible for what part of the compliance. On first glance, this might be contentious because vendors may feel they are being charged with more responsibilities than they want. Coming to this delineation may require negotiations, and after the initial shock, here’s where companies and vendors can work together to decide how they will achieve PCI DSS 3.0 compliance.

4. Documentation will get better.

With PCI DSS 3.0, service providers now must provide documentation when they are handling cardholder information. Also, noncompliance becomes a bigger headache for vendors. Though this may seem to set up an adversarial relationship between the third party and its customer, again, it offers the opportunity for the two sides to become partners to achieve compliance. A company that knows a vendor is striving to follow PCI DSS 3.0 can focus its risk management efforts toward the where they are most needed, either with the vendor or toward more challenging third parties under contract. And of course, the reputation of a vendor in compliance is more likely to grow.

5. The little guys will get the help they need.

For smaller merchants and vendors, PCI DSS 3.0 is going to be a challenge because many who never were concerned about compliance suddenly must follow the updated guidelines. For example, a new requirement directs companies to regularly inspect point-of-sale (POS) machines for tampering, but some merchants may not have a clue how to do this. Companies can share the security responsibility by guiding their vendors through the new requirements of PCI DSS 3.0. By informing third parties what they need to do and offering advice on how to do it, enterprises encourage compliance and minimize their own risk.

In 2012, Global Payments, a credit card payments processor, was compromised, and the credit card information of 1.5 million customers was stolen, costing Global Payments $94 million dollars in penalties and reparations.

A breach at third parties handling your payment applications may cost you as much, but companies still must conduct robust vendor risk management with these developers. Here are six ways version 3.0 impacts vendor risk management with payment application developers:

1. PA-DSS compliance doesn’t mean PCI compliance.

The new update clarifies that applications that follow PA-DSS standards are still within the scope of a PCI DSS audit. From a vendor risk management standpoint, you or the developer can’t assume that PA-DSS-compliant software is necessarily also complying with the PCI DSS.

2. Training standards

Vendor personnel with any PA-DSS responsibility must receive annual training. Companies must insist upon this from their vendors and check for as part of their vendor risk management initiatives.

3. Application updates

Vendors have to provide written details of any updates to their applications, which should give vendor risk management staffs more visibility into their payment application developers.

4. Risk assessment during the development process

The PA-DSS update mandates that vendors must incorporate risk assessment techniques into their software development, meaning knowledge software can be thoroughly vetted before you even screen the vendor.

5. Differing passwords

Vendors now require a unique authentication credential is now required for each individual customer environment. If the password information for another company is breached, the hacker won’t automatically possess the info for your company as well.

6. Source code integrity

Under the new standards, payment application vendors must verify the integrity of source code during the development process. Best practices in coding techniques are mandated as well. Furthermore, only people directly involved with an application should have write access to it. Vendor risk management screenings may ask about this final point; PA-DSS now requires it in the hopes of preventing unauthorized employees at the vendor from inserting their own, potentially invasive, code.

Read the financial news on any given morning and you’ll find a story about a data breach costing a TK organization millions. Some companies don’t take PCI compliance seriously and don’t fully comprehend the risks of ignoring compliance. In fact, a recent ControlScan survey discovered that 69 percent of Level 4 merchants (the smaller businesses on the spectrum) don’t believe they will fall victim to a data breach, and nearly half of the survey respondents had little or no familiarity with PCI DSS.

Many large organizations know better but still must take steps to ensure their vendors are following PCI compliance, particularly if third parties are handling an organization’s payment data. A company’s efforts to protect against data breaches won’t mean a thing if customer records are compromised due to the negligence of a vendor. Here are six recommendations for maintaining PCI compliance with the new 3.0 standard:

1. Make no assumptions

If an IT person at a vendor tells you a new piece of software or a revised process is following PCI compliance guidelines, should you just take their word for it? Third parties may think they are following PCI compliance best practices because they use anti-virus software and outdated encryption methods, but without a thorough auditing process and careful risk screenings, you can’t be sure. Be sure to assess your vendors against the standards!

2. Don’t store what you don’t need.

Credit card numbers are the Holy Grail for cybercriminals. From a merchant’s standpoint, the level of protection needed to guard such data is immense and the consequences of a breach are crippling. So if storing cardholder data isn’t necessary, don’t let your vendor do so.

3. Upgrade to passphrases.

PCI DSS 3.0 recommends that merchants consider using passphrases instead of passwords. Passphrases, are tougher to decipher than even the most complex passwords and will help in efforts to achieve PCI compliance.

Passphrase

An alternative to using a “password” is to use a “passphrase”.  A passphrase is a sequence of words strung together to create a “password”.  To do this, you need to erase your traditional thoughts of building a password.  Instead of worrying about how many characters your password needs to have, consider multiple words that can be combined to make a phrase.  A passphrase is made up of four or five short words, put together in a way that makes sense to you.  While your “password” may be longer (which makes it more secure), it will be easier for you to remember.  Here are some examples:

“My dog just turned eight.” = “MyDogJustTurn-D8”

“Look at all the snow today!” = “LookatAlltheSnow2day!”

“I love to go fast in my car!” = “Ilove2goFastInMyCar!”

Passphrases must meet all of the requirements of Traditional Passwords. One final tip, you should choose a phrase that you can easily remember; however to increase security avoid common phrases, lyrics, titles, and quotations.  Your passphrase should be words that you put together and have meaning to you.

4. PA-DSS

Along with the PCI DSS update to 3.0, the Payment Application Data Security Standard, or PA-DSS, was updated this year. These guidelines address applications and software used for any part of an electronic transaction. Becoming familiar with PA-DSS 3.0 is imperative, but never assume that just because an application is following PA-DSS guidelines that it is also in line with PCI compliance standards. Check both.

5. Simplify.

Achieving PCI compliance can be a detailed task, but with enough advance planning and due diligence, it doesn’t need to be. From a vendor risk management standpoint, using an automated solution can streamline the assessment process and get your third parties all the more closer to compliance in much less time.

6. Don’t settle for complacency.

Many merchants are audited once a year for PCI compliance, but one positive screening doesn’t mean a vendor is compliant forever. Technology changes, processes are updated, cyber-attacks become more sophisticated. Staying vigilant and working with your vendors toward PCI compliance can reduce risk and protect the cardholder data of your customers.

What does your company recommend to vendors trying to achieve PCI compliance?