A Look at PCI Compliance and the New Data Security Standards

In June, we reported that credit cards remain the most widely used form of payment, according to the Atlanta Fed's 2023 Survey and Diary of Consumer Payment Choice. In terms of overall volume, two-thirds of payments were made with cards-split evenly between credit and debit.

Merchants, issuers, acquirers, and service providers have the critical job of keeping card data safe. As I wrote in my last post, strong cybersecurity practices are essential to keeping threat actors out of your systems and away from valuable payments data. In response to threat trends (including cyberthreats), card network rules have adapted mitigation requirements. Any entity that handles card data is subject to the Payment Card Industry (PCI) Security Standards Council's PCI DSS v4.0.1, the latest version of the PCI Data Security Standard. The version 4.0 update in March included substantial changes. In June, version 4.0.1 was released as a limited revision.

PCI DSS combines technical and operational requirements to protect payment account data and the greater payment ecosystem. Categories include network security, vulnerability management, access controls, monitoring, and security policies. The version 4.0 update included more than 50 enhancements, with some compliance deadlines stretching into 2025. If you haven't done so already or are new to handling payment card data, it is time to get compliant, as failure to comply may result in hefty fines from card networks.

Below are some of the noteworthy PCI DSS changes:

• Front-line security: Expanded multi-factor authentication requirements, updated password requirements, and new e-commerce and phishing requirements. Additional changes require the encryption of sensitive authentication data that is stored electronically prior to completion of authorization.
• Ongoing security: Additional guidance to help people better understand how to implement and maintain security and clearly assigned roles and responsibilities for each requirement. To address web-based attacks, standards now require an automated technical solution for public-facing web applications. Other new requirements include technical controls to prevent copying and/or the relocation of the primary account number when using remote access technologies and validation of certificates used on public networks.
• Customized approach: A new method to implement and validate PCI DSS requirements. This provides another option for organizations using innovative methods to achieve security objectives. Targeted risk analyses empower organizations to establish their own cadence for performing certain activities.
• Enhanced validation documents: The official mechanism by which entities convey their PCI DSS compliance status to their acquirer or payment brands. Changes include increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and Attestation of Compliance.
• Incident response: Updated plan requirements to mitigate the impact of breaches. New requirements include the use of a change- and tamper-detection mechanism for payment pages, along with procedures to be in place and initiated upon detection of the stored primary account number anywhere it is not expected.

The PCI Security Standards Council recommends creating a formal plan that is dedicated to implementing the changes and communicated to all stakeholders. Updated procedures also need to be established and maintained. More important, clearly defining roles and responsibilities is mentioned repeatedly throughout the standards. The council recommends external partners and suggests using qualified professionals such as payment card industry professionals, internal security assessors and qualified security assessors to support the consistent and proper application of PCI DSS controls.

For more information, browse the PCI DSS v4.0 Resource Hub.