The payment card data of millions of consumers have been compromised in the hands of cyber-criminals, with organisations paying a hefty price both on a monetary and reputational level. Research findings by Statista showed that corporate-owned servers are most prone to data breaches (49%), while the cost of cybercrime in the UK amounts to $4.67m.
The answer to these ruinous phenomena should be robust backup systems that protect data within the payment ecosystem. In this case, it's fair to argue that a compliance protocol called Payment Card Industry Data Security Standard (PCI DSS) is a lifesaver for financial institutions, as it helps them stay ahead of fraud. In the 15-plus years since the rollout of PCI DSS v1.0 to account for ever-evolving technologies and cyber risks, PCI DSS v4.0 – the 10th version of the standard – is about to come out.
Launching PCI DSS version 4, however, has been a rollercoaster ride. Whereas the updated regulation was due in mid-2021, the release date is yet to be determined. If you're familiar with PCI DSS v3.2.1 and your heart skipped a beat when you heard that a new one is underway, rest assured that the 12 core requirements remain intact yet enhanced. To further dispel concerns about the reviewed standard, any added authentication requirements will be future-dated when it goes live. This way, merchants and industry stakeholders will have enough time to set up and implement new processes before the enforcement of PCI DSS v4.0.
Bottomline is that the new version will be an expansion of requirements into a few new security areas to reflect the latest industry best practices and feedback. While we wait for the reviewed standard to drop, let's refresh our memories on the basics of what it means to be PCI-compliant, while also look into out the changes the PCI DSS 4 will bring to the payments industry.
PCI compliance 101 – A recap
Let's unravel the operational and technical mess with some PCI-related “What”, “Who”, “Why” and “When” questions.
What is PCI compliance and who developed it?
The compliance framework safeguards businesses during the storage/tokenisation, processing, and transferring of cardholder data. Moreover, PCI DSS outlines precautions on how to detect and deter potential breaches within the Cardholder Data Environment (CDE). This also caters for the PAN – the primary account number printed on the front of a credit or debit card.
The standard came into fruition in 2006 by the PCI Security Standards Council (PCI SSC), an independent body comprised of card companies (Visa, American Express, Mastercard, JCB and Discover). The main goal continues to be monitoring data security standards for every organisation that handles sensitive payment card information. The full PCI DSS guide can be found here.
Designed to protect account data against fraudulent activity, PCI DSS is undeniably a non-negotiable for any business that accepts card payments. Non-compliance may lead to data breaches or penalties. In fact, Verizon’s Payment Security Report, published in 2019, revealed that a whopping 36.7% of companies worldwide failed to comply with the PCI DSS standard. As a result, they risked exposing confidential customer data and incurring costly fines in the event of a hacking incident.
Bear in mind that besides merchant requirements, PCI SSC defines additional policies related to app and software developers such as the Payment Application Data Security Standard (PA DSS). There are also PIN Transaction Security (PTS) sanctions for companies that create devices for credit card payment transactions.
Why the update?
As technology advances, so does the threat landscape. More so than ever, cybersecurity and compliance professionals are seeking ways to modernise infrastructure and strengthen their defences against ransomware and digital attacks.
Since inception, PCI DSS requirements aimed to help service providers build pluggable security and authentication standards, so that they’re followed all year year-round – instead of once during annual assessments.
This is the purpose the updated standard will serve, making sure that:
- The foundation for securing payment data is maintained.
- Security as an ongoing process is promoted.
- Organisations are flexible, utilising a variety of methodologies and technologies.
- Validation methods and procedures are amplified.
When will PCI DSS 4.0 be released?
As of this writing, it seems that the PCI SSC will complete version 4.0 sometime in Q1 2022, but the effective date for these requirements won’t be fixed until 2025. Until then, let’s take a trip down memory lane and identify the highlights of the PCI DSS 4.0 timeline.
It all started in 2019. The PCI SSC held two separate Requests For Comment (RFC) for PCI DSS v4.0, both of which wrapped up in late 2020. Having collected over 13,000 comments from the merchant payment community and Qualified Security Assessors (QSAs), the latest PCI DSS RFC generated a draft of version 4.0.
According to Lauren Holloway, Director of Data Security Standards, PCI DSS v3.2.1 will operate as normal for 18 months until all PCI DSS v4.0 materials — encompassing the standard itself and supporting documents (i.e., SAQs, ROCs, and AOCs), additional RFC and validation documents, and training — become public. Not only does this make the transition period smoother for PCI DSS v3.2.1 to retire by Q1 2024, but it also gives leeway for the involved parties to familiarise themselves with new security controls, update their reporting forms, and adjust budget.
Fast forward to today, PCI SSC has announced a preview period of the draft standard for early 2022. This draft will be issued to Participating Organisations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs). Holloway added that updates to supporting documents – that is, SAQs, PCI DSS Glossary, Report on Compliance (ROC) Template, and Prioritised Approach – will also be involved in the revision cycle.
PCI DSS 3 vs 4 – What’s new?
Although the standard isn’t finalised, the Council has shared details with the public on what to expect when the new version is put into force. Let’s delve into the PCI DSS 4.0 Summary of Changes to find out how these changes differ from version 3.2.1.
As mentioned above, the 12 PCI DSS authentication requirements listed in version 3.2.1 won’t shift to any real degree with the adoption of PCI DSS 4.0. Therefore, it’s a matter of a few updates and supplementary requirements.
Advanced technology and “Customised Implementation”
Perhaps the biggest change surrounding PCI DSS v4.0 is the way organisations will perform compliance and security standards. Unlike the prescriptive nature of PCI DSS v3.2.1 that dictated how companies could achieve compliance, PCI DSS 4 allows flexibility. Put otherwise, rather than imposing a compensating control – a complex and time-consuming procedure – on businesses that don’t meet the compliance criteria, PCI DSS 4.0 offers the option of Customised Implementation.
This customised validation alternative will better frame the security outcomes tied to each requirement, allowing entities to leverage new technology and tailor their data security controls based on the intent of the requirements. Once an organisation determines the security control for a given PCI objective, a QSA will review the documentation, conduct risk analysis, and test each control with custom implementation to verify effectiveness. To clarify, the prescriptive approach won’t be phased out with the 4.0 standard. Rather, it can still be selected over the new customised solution on a Report On Compliance (ROC).
It’s worth noting that the draft of PCI DSS v4.0 supports the use of different technologies (i.e., cloud hosting services and serverless computing) for the phrasing of requirements in a way that aligns with IT advancements.
Based on what the PCI Council has put out, more PCI DSS v4.0 updates will involve:
Authentication
The new version casts the spotlight on NIST password and multi-factor authentication guidance. While the priority is to establish stronger authentication standards to access logins and process transactions, PCI SSC has also liaised with Mastercard, Europay, and Visa (EMVco) to apply 3DS Core Security Standard during transaction authorisation.
These are the main areas of evolution that will accommodate authentication:
- Password lengths will be extended from 7 characters to 15, consisting of a special character in addition to numbers and letters.
- Passwords/passphrases for accounts must be changed at least every 12 months or upon suspicion of breach.
- Access privileges to be reviewed at least once every six months.
- Vendor or third-party accounts may become available only as required and monitored when in use.
This step will not simply confirm that controls abide by the regulatory requirements, but it shall also ensure they can be scaled to fit the company’s evolving transaction objectives.
Encryption
The demand to broaden the scope of card encryption when data is at rest in a spreadsheet or in motion, being transmitted across networks, has increased. No wonder, as phishing attacks jumped on an alarming 46% in 2020, posing a tangible threat to financial institutions.
Normally, fraudsters penetrate the network with malicious codes and retrieve personal information during transmission. The rewritten PCI DSS will provide backup and disaster recovery systems that protect the integrity and prosperity of businesses.
Monitoring
PCI DSS 4 may focus more on risk-based measures. The Software Security Framework (SSF), which will replace the Payment Application Data Security Standard (PA DSS), will ensure that the cardholder data environment embraces technological improvements (e.g the application of next-gen network and endpoint detection tools). Merchants and payment service providers may be expected to have processes in place to boost their information systems and tackle fraudulent attempts.
Testing
Critical control testing may take place more frequently with the use of PCI DSS v4.0. Though Designated Entities Supplemental Validation (DESV) requirements are no stranger to PCI DSS, they were previously an obligation only for companies that had suffered a data breach. In this new version, companies may be asked to meet this requirement first in order to be PCI-compliant.
Also, the testing documents include more thorough explanations for sampling and scoping. Additional guidance on sampling will be given to assessors, so that they authorise that those controls are in place consistently across the entire payments population.
Security awareness training
The requirements for training of end-users will elaborate on current threats and vulnerabilities that could affect the security of the CDE, including Phishing and Social Engineering.
Shape the future of your payment infrastructure with emerchantpay
We live in an interconnected world where information is vastly distributed on an international scale. For a safe network configuration, organisations must address their weaknesses by applying security mechanisms and risk mitigating strategies. Non-compliance with the PCI DSS standard follows a domino effect – lack of costumer trust which, in turn, leads to decreased sales, conversions and revenue.
There is a whole host of actions you need to take if you’re a merchant looking to establish a fraud-free checkout experience. Being PCI-compliant and working with a PSP who will guide you on how to build an environment where customers will feel safe to place a payment, are a good place to start. emerchantpay comes to rescue! emerchantpay is a leading global payment service provider for online, in-app and in-store payments — both locally and globally. Our wide range of payment solutions is available through a simple integration, providing a host of features such as global acquiring, alternative payment methods, fraud and risk management as well as performance optimisation. We encourage our merchants to design seamless and rewarding payment experiences for their consumers, and our support team is always on hand to help achieve this.
Reach out to our payments specialists today and learn how you can handle sensitive data in compliance with PCI DSS to accelerate your business growth.