by Anastasios Arampatzis
During 2020, credit card and contactless transactions skyrocketed as a response to hygiene and restriction measures to contain the pandemic. Besides the obvious benefits for both retailers and consumers, there are concerns about the security of these transactions and the card holder data associated with these transactions. Retailers need to ensure that they are compliant with the security requirements of PCI DSS standard to protect this sensitive data and enhance the level of trust their customers place on their brand reputation.
Brief Overview of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) has been developed to reinforce the security of credit card transactions and facilitate the broad adoption of consistent data security measures. PCI DSS provides a baseline of technical and operational requirements designed to protect financial data. The goal of the PCI DSS is to protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted.
The standard applies to all organizations involved in credit card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS compliance is split into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise must do to stay compliant. Compliance with the standard is enforced by the founding members of the PCI Security Standards Council; American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.
PCI DSS comprises a minimum set of 12 requirements for shielding transactional data and may be supported by additional policies and practices to mitigate emerging risks. PCI DSS does not supersede national laws, government regulations, or other legal requirements that may require specific protection of personal and financial information.
What is new in PCI DSS 4.0?
The current version of PCI DSS 3.2.1 was released in May 2018. The preceding versions of the standard evolved as various versions of the SSL/TLS protocol were being deprecated. While PCI DSS 3.0 was built on SSL, PCI DSS 3.1 dictated the migration from SSL to TLS protocol.
PCI DSS v3.2, published in April 2016, asked for the adoption of TLS 1.1 or TLS.1.2 since the older versions of TLS (including TLS 1.0) left the cardholder data open to vulnerabilities like Heartbleed and POODLE. Finally, PCI DSS v3.2.1 mandates the deprecation of all TLS versions except TLS 1.2.
The PCI SSC plans to release the 4.0 version of the standard during the second quarter of 2021. The new version is projected to be an outcome-based document, changing the language from “must implement” to “the outcome is.” It is also going to place greater emphasis on security as a continuous process that integrates with an organization’s overall security and compliance posture.
Other changes will include the introduction of guidance for multifactor authentication, the broader applicability of cardholder data encryption, requirements for monitoring and adapting to technology evolution, and greater frequency of auditing the implementation of critical controls.
The added value of PCI DSS compliance
Complying with PCI Security Standards might seem like a cumbersome task because of the patchwork of security requirements. However, the effort will pay you back. Maintaining compliance with PCI DSS benefits financial institutions, big retailers and small businesses, especially if you consider the dire consequences of failing to secure your transactions. The added value offered by PCI DSS compliance includes:
- Demonstrate enhanced security of your systems and services so that your customers can trust you with their sensitive payment card information. Trust leads to customer confidence and loyal customers.
- Improve your reputation with acquirers and payment brands – the partners your business needs.
- Prevent security breaches and payment card data theft now and in the future through a continuous and ongoing compliance process. PCI DSS compliance means you are contributing to a global payment card data security solution.
- Be better prepared to comply with additional regulations requiring the protection of sensitive and personal data, such as GDPR or other industry related standards.
- Enable and foster corporate security strategies promoting a culture of security hygiene and best practices.
- Improve IT infrastructure efficiency and maximized the ROI of your investments on security technology and controls.
You can also understand the value of PCI DSS compliance by considering the disastrous results of failing to comply with the standard. Building trust and confidence with your customers takes a lot of effort, but it can be destroyed within seconds. By meeting PCI Compliance, you are protecting your customers so they can continue to be your customers. Failure to comply with PCI DSS includes dangers such as:
- Compromised personal and financial data that negatively impacts consumers, merchants, and financial institutions.
- Severely damaged reputation, impacting your ability to conduct business effectively, not just today, but into the future.
- Account data breaches that can lead to catastrophic loss of sales, revenue, business relationships, and community standing; plus, public companies often see depressed share price as result of account data breaches.
- Lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines.
How to comply with PCI DSS
Maintaining compliance with PCI DSS should be a top priority for all businesses processing or storing cardholder data. The tips below can help you effectively implement the requirements defined in the standard.
- Segment your data. It is imperative to keep your cardholder data segmented from your standard company data. This entails creating an environment that only deals with cardholder data. This practice not only protects your data, but it also reduces the scope of your PCI audit.
- Encrypt your data. All cardholder data should be encrypted, or tokenized, from the moment you interact with your customer’s card number. This also includes ensuring this data is encrypted while at rest.
- Control access to your data. Role-based access controls (RBAC) will make your PCI compliance much easier. RBAC will ensure that only the right people will have access to this data, limiting the chances of unauthorized disclosure.
- Monitor your data. Set up alerts for security incidents involving cardholder data or anything that could compromise your cardholder environment. Attackers usually do not compromise your data by coming through your front door, but rather do it in a methodical, hidden manner as to not alert you.
If you want to learn how to protect your transactions and safeguard your customers, you may contact the experts of ADACOM to guide you through the PCI DSS compliance process.
Specifically Adacom team can:
- Guide you on the level of certification (eg. Self assessment or QSA (Qualified Security Assessor) assessment) is applicable to your business
- Assist you through the whole process of preparation and certification
- Facilitate the process of compliance with PCI DSS standard & evidence gathering
- Advise on enhancements, quick wins relating to your environment in order to reach PCI DSS compliance level easier as well as avoiding unecessary costs
- Recommend technological solutions as well as organizational measures which effectively address PCI DSS requirements