PCI compliance and PA DSS compliance have been the main topics of many articles published on our blog. However, we feel that a quick update on the subject won’t hurt. Indeed, pandemic made even more people than before prefer electronic payments to cash. Reason: contactless payments (in wider sense) are safer, at least, from sanitary viewpoint.
New challenges and PCI compliance standard update
While contactless payments are “healthier” than cash, the surge in electronic payment volumes makes credit card fraud levels soar. Both individuals and businesses (especially, small-size ones) are falling prey to hacking attacks and fraudsters. Naturally, it is high time to make credit card data security standards more adequate and responsive to post-pandemic realities.
So, PCI standards council is working on the new edition of PCI data security standard. On June 28, 2021, the new draft version of the standard became available for review. Respective request for another round of comments (RFC) was published on the council website on that same date. The PCI requirements currently in force are summarized in PCI DSS v3.2.1. And the document that the council is developing (available for comments and reviews) is PCI DSS v4.0.
Review and development process has been going on for approximately two years now. Expected time of complete replacement of PCI DSS v3.2.1 with PCI DSS v4.0 is late 2024 or early 2025. However, reviews and comments, provided by member organizations so far, already allow us to draw some interim conclusions. Particularly, some points of the new standard provoke the greatest number of comments from reviewers. Let us provide a brief outline of these “feedback-generating” points here.
The main points of PCI compliance standard update
The main objectives of PCI DSS update are to:
- mitigate the newly emerging risks and threats to sensitive cardholder data,
- improve flexibility for member companies (we have stressed the importance of flexible payment technologies in one of our articles),
- make security enforcement an ongoing routine.
Most comments focused on the following requirements.
- Cryptographic protection of transmitted cardholder data (CHD).
- Strict access authentication and user identification. Specific requirements concern: stronger passwords and two-factor authentication, access history logs, and frequency changes.
- Restriction of physical access to sensible data.
- Testing of security systems and processes.
- Implementation of adequate security programs and policies.
We should re-iterate the focus of the new draft PCI DSS v4.0 on customizability, which is, definitely, a positive signal. Shortly speaking, each company can apply its own mechanisms to meet and validate the new PCI DSS requirements. So, companies that use different security technologies are offered more freedom in terms of PCI DSS implementation and certification.
General recommendations of PCI standards council
In our recent article on contactless payments we have listed the key recommendations of PCI standards council. They include:
- Further reduction of sensitive cardholder data exposure;
- Usage of stronger, harder-to-hack passwords;
- Timely updates and patching of payment software;
- Stronger encryption technologies;
- Careful choice of payment partners.
As we can see, the upcoming PCI compliance standard edition does not deviate much from these guidelines.
PCI standard updates concern merchant services industry players of all ranks. PCI DSS level 1merchants should expect some new PCI audit routines. And small-size level 4 merchants should keep in mind that the self-assessment questionnaire they regularly complete will also be updated. To learn more on PCI compliance levels, check our respective article. Meanwhile, all entities, that handle sensitive cardholder data, should follow the council’s recommendations and PCI DSS v3.2.1. The best way to fulfill PCI requirements is to consult and work in close cooperation with a PCI auditor.
You are also welcome to consult our payment specialists at UniPay Gateway and learn more about how PCI DSS compliance concerns your specific business.