- The shift towards electronic payments due to COVID-19 has increased the urgency for Paymentech industry to focus on PA DSS and PCI compliance, emphasizing the need for enhanced security in credit card transactions.
- In response to rising electronic transaction volumes and associated credit card fraud, the PCI Standards Council is revising the PCI DSS to version 4.0, which is currently under public review and aims to replace the existing v3.2.1.
- The updated PCI compliance standards focus on combating new security challenges, offering flexibility for different security strategies, and enforcing continuous data security, with specific emphasis on encryption, two-factor authentication, testing protocols, and physical access limitations.
- The impending PCI DSS v4.0 affects all merchant levels, necessitating adaptation across the industry, and aligns with general security recommendations like stronger passwords and encryption, underscoring the universal applicability and significance of these updates in safeguarding sensitive credit card data.
PA DSS and PCI compliance remain in the focus of Paymentech industry. Presently, COVID19 epidemic shifted the preferences of many buyers and sellers from cash to electronic payments. Indeed, payments that involve less physical contact, are less risky in terms of sanitary requirements.
PCI compliance and PCI data security standard update
Global increase in electronic transaction volumes spurred another surge of credit card fraud. Businesses and individuals become victims of identity theft and other kinds of fraudulent schemes. So, organizations that develop credit card security standards should respond accordingly.
Presently, PCI standards council is updating the basic PCI data security standard to version PCI DSS v4.0. The new draft document is now undergoing another round of public revision. This process is an iterative one. So, replacement of the current standard PCI DSS v3.2.1 with the new version will require many more months.
Reviews and comments by member companies indicate that some sections of the new standard draw greater attention than others. Now, we are going to take a look at PCI compliance issues, that reviewers’ comments mainly focus on.
The key points of the updated PCI compliance standard
First let us outline the strategic goals of the new PCI requirements. They are as follows.
- Fight the new challenges in the area of credit card data protection,
- Make PCI DSS compliance more flexible. Indeed, companies use different data security strategies and technologies. However, all of them should be able to successfully undergo PCI audit and certification.
- Enforce data security requirements on a permanent, continuous basis.
Now, let us list the PCI compliance issues, that provoked the largest number of reviewers’ comments.
- Encryption of sensitive card data as it is transmitted from point to point.
- Usage of two-factor authentication and strong passwords, documenting of access history, and frequency changes. All these requirements concern stricter user identification and access monitoring.
- Implementation of testing scenarios and protocols for security systems and processes.
- Limiting physical access to sensible cardholder data.
- Development and implementation of relevant security policies.
General security recommendations
Recently PCI standards council has published a set of strategic security recommendations. The recommendations are as follows.
- Lowering of cardholder data exposure levels;
- Generating stronger passwords;
- Regular updating and patching of payment handling software;
- Usage of stronger encryption mechanisms;
- Being more careful when choosing your payment partners.
So, the updated PCI DSS is totally in line with these PCi compliance recommendations.
So, who are the “target users” of the new standard?
Depending on transaction and processing volumes, a merchant belongs to one of four PCI compliance levels . Update of PCI requirements concerns both the largest companies (PCI DSS level 1 merchants) and small ones. Even SAQs, that level 4 merchants complete as part of PCI audit, are undergoing an update. So, all merchant services industry players will, probably, feel the impact of the changes in the PCI DSS.
All companies, that “touch” sensitive credit card data, must follow the requirements of PCI standards council. Present version of the standard is PCI DSS v3.2.1, while v4.0 is on the way. If you need explanations on how PCI compliance applies to your specific business case consult a PCI auditor. You can also contact our payment experts here at UniPay Gateway.