PA DSS and PCI compliance remain in the focus of Paymentech industry. Presently, COVID19 epidemic shifted the preferences of many buyers and sellers from cash to electronic payments. Indeed, payments that involve less physical contact, are less risky in terms of sanitary requirements.
PCI compliance and PCI data security standard update
Global increase in electronic transaction volumes spurred another surge of credit card fraud. Businesses and individuals become victims of identity theft and other kinds of fraudulent schemes. So, organizations that develop credit card security standards should respond accordingly.
Presently, PCI standards council is updating the basic PCI data security standard to version PCI DSS v4.0. The new draft document is now undergoing another round of public revision. This process is an iterative one. So, replacement of the current standard PCI DSS v3.2.1 with the new version will require many more months.
Reviews and comments by member companies indicate that some sections of the new standard draw greater attention than others. Now, we are going to take a look at PCI compliance issues, that reviewers’ comments mainly focus on.
The key points of the updated PCI compliance standard
First let us outline the strategic goals of the new PCI requirements. They are as follows.
- Fight the new challenges in the area of credit card data protection,
- Make PCI DSS compliance more flexible. Indeed, companies use different data security strategies and technologies. However, all of them should be able to successfully undergo PCI audit and certification.
- Enforce data security requirements on a permanent, continuous basis.
Now, let us list the PCI compliance issues, that provoked the largest number of reviewers’ comments.
- Encryption of sensitive card data as it is transmitted from point to point.
- Usage of two-factor authentication and strong passwords, documenting of access history, and frequency changes. All these requirements concern stricter user identification and access monitoring.
- Implementation of testing scenarios and protocols for security systems and processes.
- Limiting physical access to sensible cardholder data.
- Development and implementation of relevant security policies.
General security recommendations
Recently PCI standards council has published a set of strategic security recommendations. The recommendations are as follows.
- Lowering of cardholder data exposure levels;
- Generating stronger passwords;
- Regular updating and patching of payment handling software;
- Usage of stronger encryption mechanisms;
- Being more careful when choosing your payment partners.
So, the updated PCI DSS is totally in line with these PCi compliance recommendations.
So, who are the “target users” of the new standard?
Depending on transaction and processing volumes, a merchant belongs to one of four PCI compliance levels . Update of PCI requirements concerns both the largest companies (PCI DSS level 1 merchants) and small ones. Even SAQs, that level 4 merchants complete as part of PCI audit, are undergoing an update. So, all merchant services industry players will, probably, feel the impact of the changes in the PCI DSS.
All companies, that “touch” sensitive credit card data, must follow the requirements of PCI standards council. Present version of the standard is PCI DSS v3.2.1, while v4.0 is on the way. If you need explanations on how PCI compliance applies to your specific business case consult a PCI auditor. You can also contact our payment experts here at UniPay Gateway.