Card payment security is more important than ever. With card related breaches having risen from 33% in 2017 to 65% in 2020, the long-awaited roll out of PCI DSS 4.0 is set revise its existing regulations to ensure payment security compliance is inclusive of the vast array of methods in which consumers now shop.
But, what is PCI DSS exactly?
PCI DSS (Payment Card Industry Data Security Standard) is a set of regulatory requirements established by a network of major credit card companies: Visa, Mastercard, Discover and American Express, to reduce fraud and minimise data breaches by protecting cardholder data.
Launched in 2004, merchants would have to become compliant with the standard's 12 key requirements or risk their right to process credit card payments.
PCI DSS Compliance Checklist
Install and maintain firewall protection to protect cardholder data.
Avoid using default passwords supplied by a third-party or vendors for any security parameter such as system logins.
Ensure stored cardholder data is always protected.
Encrypt the transmission of cardholder data across any open network.
Regularly update any antivirus software in use.
Keep access of cardholder data on a need-to-know basis.
Limit physical access to cardholder data.
Any person with computer access should be assigned a Unique ID.
Develop and uphold the maintenance of secure systems.
Monitor all access to cardholder data and resources on your computer network.
Run routine tests on all security protocols.
Maintain a PCI policy for all company personnel.
So, why is PCI DSS it changing?
The last update to PCI DSS predates the era of mainstream consumerism, failing to comprehensively include payments made via contactless payments and mobile devices(2013).
Regulations now need to expand their scope to account for the near omnipresent way in which commerce now exists.
Beyond the expansive amount channels in which customers can now shop, such as on mobiles and via social media channels, consumerism is near constant and happening near enough in its own 'meta-verse'.
With PCI DSS taking a pre-emptive approach to the future of payments and security, the new regulations are now looking to include compliance objectives such as:
Ensuring security standards meet the needs of the payments industry.
Ongoing flexibility and support for future and additional security methods.
Enhanced validation methods.
Upholding values such as: security compliance is continuous.
Businesses are expected to be able to get a first look at the requirements for PCI DSS v.4.0 later this year before its initial roll out in March 2022.
What happens if i'm not compliant?
Any business that interacts with cardholder information whereby they transmit, process or store it, must be PCI DSS compliant.
The easiest way to meet upcoming PCI DSS 4.0 compliance requirements is to already be compliant with current regulations.
However, data from Verizon's 2020 Payment Security Report, revealed that in 2019, only 27.9% of organizations were 100% compliant, down from 55.4% in 2016.
Failure to do achieve 100% compliance can leave cardholders and businesses exposed to devastating data breaches, fines, and loss of processing rights.
With the additional pressures of Covid-19 on daily business operations, more businesses are expected to fail their responsibility to uphold PCI compliance measures.
Instead, merchants are looking at how to reduce their PCI DSS compliance scope.
How to become PCI DSS v4.0 Compliant:
To formally comply with PCI DSS, you can do so directly, or complete an annual assessment called an SAQ form, that will grant you various levels of compliance.
Alternatively, a Qualified Security Assessor (QSA) can assist in ensuring your business is in line with current regulations.
Reducing your scope:
Reducing the scope of your PCI compliance for both in-store and e-commerce payments is relatively frictionless. The key objective to reducing your PCI scope is to control and limit the flow of customer data.
In-store at the Point of Sale:
Utilise card terminals with end-to-end encryption.
Integrate payment pages online hosted by a PCI DSS level 1 compliant payment processor.
When taking recurring payments:
Take recurring payments using a PCI DSS Level 1 compliant payment processor that enables card tokenization to securely replace sensitive card information.
PCI DSS 4.0 - When to expect it
PCI DSS 4.0 - like many significant regulatory changes - faced delays. Unlike PSD2 regulations, wherein more time has been allowed for compliance to be met; delays to PCI DSS 4.0 were extended to allow for further updates and feedback to be made to the v4.0 criteria.
As mentioned, PCI DSS 4.0 will expand to include an endless scope of commerce channels and technological practices.
With a transition period of 18 months, merchants should expect further updates within PCI DSS 4.0 beyond the initial roll out.
Throughout this time, all current PCI DSS v3.2.1 documentation will remain active.
Whilst PCI DSS 4.0 remains vague so far, regulators are certain of a few things:
Do not delay:
Despite an 18-month timeline, assessors will expect clear clarification of your processes and documentation.
Expect ongoing assessment:
Maintenance and testing throughout this period is essential.
Define your governance architecture:
Ensure clear ownership and responsibility of all personnel is assigned early on.
Disclaimer: This post should be used for guidance purposes only. This information will vary dependent on your annual processing volume. Please consult a qualified QSA for more information.