The Payment Card Industry Data Security Standard is a voluntary security framework to help protect customers and merchants against the theft of credit card data during POS transactions. Like many other compliance frameworks, PCI DSS has continually evolved over the years to match new technologies and new threats to the privacy of consumers shopping online and off. As of 2021, the PCI Security Standards Council has announced the newest version of PCI DSS, version 4.0.
While the official documentation for the updated standard has, as of March 2021, not been released, many merchants and banks are preparing for the transition. Here are some basics into PCI DSS and the move to version 4 coming Summer 2021.
What is PCI DSS Compliance?
PCI DSS is a compliance framework and set of standards meant to standardize security around credit card transactions. As credit cards, and particularly credit cards used in Card Not Present (CNP) transactions, remain the norm of shopping, it’s incredibly important for merchants, credit card networks and banks to utilize rigorous security standards to protect consumer information.
PCI DSS was initially created in 2004 through a collaboration between major card networks like Visa, Mastercard, American Express, and JCB International to secure technology that processes, stores, and manages credit and debit card information.
At its core, PCI DSS calls for some basic but important security measures, 12 in total, including:
- Installing and maintaining firewalls to protect cardholder data
- Strong and unique passwords and authentication to protect access to any platform that contains payment data
- Secure stored data through encryption and other technical security measures
- Secure transmitted data through encrypted transfer methods from computers or POS software
- Develop secure systems and regularly update those systems
- Implement anti-virus software
- Utilize unique IDs for users to track resource access
- Restrict physical access and implement physical security measures
- Enact regular documentation and risk assessment procedures
- Implement data logging
- Use user segmentation to restrict user access to customer data
- Conduct regular penetration tests and security scans
These rules and requirements are the same for all merchants, considered to be the measures that can protect customer credit card data. However, PCI DSS is also broken down into four compliance levels:
- Level 1: Merchants that process over 6 million transactions per year (or any merchant of any size that has experienced a data breach).
- Level 2: Merchants that process between 1 and 6 million transactions a year.
- Level 3: Merchants with between 20,000 and 1 million transactions per year.
- Level 4: Merchants with fewer than 20,000 transactions per year.
Additional requirements for compliance depend on the security level:
- Level 1 merchants must undergo annual third-party audits. This includes a network scan by an Approved Scanning Vendor (ASV) and delivery of an annual Attestation of Compliance and a Report of Compliance.
- Levels 2, 3, and 4 must complete a PCI DSS Self-Assessment Questionnaire and undergo quarterly scans with an ASV.
Merchants at levels 3 or 2 that experience a data breach can be designated a Level 1 merchant by Visa for compliance purposes.
Unfortunately, PCI DSS compliance is not legally binding, and a 2019 report from Verizon showed that only 29.7% of global merchants met full PCI DSS compliance.
What is PCI DSS 4 and How is it Different from the Previous Version?
The central 12 requirements of PCI DSS should remain relatively unchanged. The technical and physical requirements meant to help merchants and banks uphold those requirements probably will change to match evolving technological innovations and security threats.
That being said, the complete picture of PCI DSS v4 changes isn’t completely known, and probably won’t be known until the Summer of 2021. Some of the expected changes in the standards include:
- Revising authentication requirements to handle more advanced security measures like Multifactor Authentication (MFA) and making payments through mobile devices. This could mean more complex password requirements or security.
- Evolved risk assessment for merchants, banks, and credit networks to handle the increasingly common use of mobile devices on the part of consumers and cloud and distributed systems on the part of merchants and banks. This could also include more rigorous risk assessment guidelines for merchants and banks overall.
- Managing unique control configurations around new technology. Companies would be able to adopt custom control systems to maintain flexibility in the face of new technologies like cloud hosting services.
- More stringent testing, training, and scoping requirements. Perhaps a no-brainer, the new v4 could include several revisions to training and planning requirements to meet the challenges of new technologies and new security threats.
- Updated encryption requirements. This could include updated technology requirements as well as expanded situations where encryption is required.
When Should Businesses Start Preparing for PCI DSS Version 4?
One of the stated goals of PCI DSS v4 revisions is to increase the flexibility of reaching compliance so that merchants and banks can more effectively maintain security standards. What does that mean for merchants?
- You can get a head start in thinking about what updating compliance means for your organization by ensuring that you are up to date with the PCI DSS evolution roadmap released by the PCI Security Standards Council in October 2020.
- Identify a security partner that works with PCI DSS compliance to help you audit your existing systems to prepare for the upcoming update. If you aren’t compliant, working with an expert organization can help you optimize and automate your road to compliance. If you ARE compliant and just want to prepare, then this partner can be your ear to the ground when the new standards hit so you can hit the ground running.
- Start early. The expected release date for PCI DSS v4 is “mid-2021”, which will place the release firmly in the Summer. Additionally, required updating to the new standard will not be necessary until 2 years after this release date. This will give your organization time to make a security plan, implement it, and automate it.
The current version of PCI DSS (3.2.1) is expected to remain active for 18 months following the release of version 4. So, if you are a merchant or bank working with upgrading your compliance requirements, you have some time to re-situate your IT and security efforts.
Don’t Wait for the Change. Prepare for PCI DSS Now
It’s never too early to start considering what your upgrade path will look like. If you aren’t participating with PCI DSS and want compliance, or if you are currently working with PCI DSS and you are ready to set a proactive footing for future changes, then now is the time to consider assessing your security positioning and preparing for that future.
Are you ready for PCI DSS compliance or upgrades and want an expert, automated solution? Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about our ITAMs auditing and compliance tools.