BY Stephen Cavey | 2 April 2021
The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect customers’ payment data from being compromised and ensures the security of credit card transactions in the payments industry.
Following the dot-com bubble, merchants were eager to leverage the Internet to increase revenues through e-commerce, a tactic that is well-known in today’s fully digital world. But at this time, it was the “Wild West” when it came to regulating how this was done. Additionally, cybercriminals were already finding ways to infiltrate e-commerce websites, payment card processing systems and electronic retail point of sale networks. Thus, PCI compliance was born out of necessity.
PCI DSS is continuously evolving and adapting to the current world as the PCI Standard Security Council (PCI SSC) deems appropriate in consultation with industry stakeholders including PCI QSAs (Qualified Security Assessors), payment processors, large merchants and other payment industry participants. American Express, Visa, MasterCard and Discover are the four main payment card brands overseeing the council.
PCI compliance applies to any organization, regardless of size or number of transactions, that transmits, accepts, or stores cardholder data.
Regulations surrounding PCI DSS impact every aspect of a business accepting card payments. It is applicable to both the hardware and software that merchants use– systems as intricate as the computers managing payments all the way to the PIN pad you swipe your credit card through. This is in addition to a variety of other technology and people processes, including security policy, procedures, security controls, and general data awareness.
But the same requirements don’t apply universally to all merchants. In fact, there are four PCI compliance levels that are determined by the number of transactions the organization handles each year. They are broken down as such:
There are 12 different PCI compliance requirements that covered entities must follow in order to handle credit card information in a secure matter. Failure to follow these requirements greatly increase your company’s chance of hacking, fraudulent activity, or data breach.
Maintaining PCI compliance is about more than just avoiding hefty fines. Consistently assessing any gaps in your security program ensures the protection of sensitive cardholder information and the avoidance of theft, data breach. It also helps you
Additionally, companies are required to regularly provide compliance reports as part of their card processing agreements. By regularly monitoring and assessing your security program for PCI compliance you can ensure that these compliance reports will be ready.
Other benefits of PCI compliance include maintaining a strong brand reputation, keeping customers happy, minimizing the risk of identity theft, and showing the public that you’re a responsible company dedicated to making security a priority.
Following the closure of the request for comment (RFC) phase on November 30, 2019, the PCI SSC has been developing the new PCI DSS version which is currently expected to be completed by Q4, 2021. Based on this timeline, the period to transition from the old PCI v3.2.1 to the new PCI DSS 4.0 is expected to be from early 2022. .
Why should you update your compliance to the latest PCI DSS version? Here are four main reasons:
However, businesses must plan ahead now. Some organizations may need to accommodate budgetary changes to adapt to the redesign of the PCI requirements,with a focus on additional data management as well as security testing. Executing on these changes will likely require staff training and upskilling, as well as new tools and data discovery tools and solutions to more thoroughly validate PCI DSS scope on an automated recurring basis.
With version 4.0, PCI DSS is evolving to support a range of evolving payment environments, technologies, and methodologies for achieving security. The ultimate goal of version 4.0 is to ensure that the standard continues to meet the ever-changing security needs of the high-risk financial services industry.
PCI DSS 4.0 places greater emphasis on security as a continuous process and will promote fluid data management practices that integrate with an organization’s overall security and compliance posture. The majority of changes to its requirements is achieved by changing the language from stating what ‘must’ be implemented to what the resulting security outcome ‘is’. Other changes include:
If you are already compliant with PCI DSS 3.2.1, then you have a solid baseline to work from. However, PCI version 4.0 is expected to be stronger than the already comprehensive v3.2.1 and organizations will first need to understand how to quickly get organized and evaluate what is needed to achieve PCI compliance in 2021. Here is a quick PCI compliance checklist for you to get started.
Resources and support are available to navigate version 4.0. In fact, the core of our Ground Labs Enterprise Recon PCI solution is deeply rooted in PCI compliance since 2007 and is the global leader in PCI card data scanning. It allows organizations to discover and remediate cardholder data information, as well as over 300 data types, including predefined and variants that include sensitive, personal and confidential data across an organization’s entire network, both on-premise and in the cloud. The remediation functions are available to mask, encrypt or delete sensitive data and is an effective solution to help organizations achieve and maintain PCI DSS compliance.
PCI DSS 4.0 represents the most comprehensive data security standard in PCI SSC’s 15 year history — get ahead of the official release and ensure your organization is ready for it with the help of Ground Labs.
Have questions about PCI DSS 4.0 or are curious to learn more about Enterprise Recon PCI help you succeed? Schedule a demo with a PCI data discovery expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.