Most merchants are aware the Payment Card Industry Data Security Standards (PCI DSS) requirements are changing and go into effect at the end of 2020. The majority of organizations understand that advancing technology means the standards need to be updated. However, the lack of information is making it difficult for them to prepare for the upcoming annual audit.
Failing to pass a PCI DSS audit can be costly to a business. Fines can be applied and can add up quickly. Merchants might not know what the precise changes to the newest version of PCI DSS are. However, there are steps they can take to help them prepare for their audit.
In this guide, you’ll see what the PCI DSS 4.0 changes are and how your business could be affected. You’ll also find helpful tips that will start getting you prepared for the audit.
What’s New in PCI DSS 4.0
Changes to PCI DSS compliance requirements are expected to affect four of the 12 standards outlined in version 3.2. While PCI DSS 4.0 should not fundamentally change the original compliance requirements, based on feedback from stakeholders, the Security Standards Council (SSC) is thought to have updated four of them. The four areas are:
Merchants may need to look to the National Institute of Standards and Technology (NIST) for guidance on creating passwords. A multi-factor authentication process may be implemented requiring employees to provide two pieces of i.d. before being allowed to access the system.
Requirements may be broad regarding the transmission of cardholder data across open networks. Along with requiring data to be encrypted, there will be additional guidance on how best to protect information being sent across potentially vulnerable networks.
All systems and networks need to be continually monitored but merchants will also have guidance on how to secure new technology. This includes employee personal devices and endpoint detection tools.
Critical controls will need to be monitored and tested more frequently. Merchants might have to meet additional standards from the Designated Entities Supplemental Validation for PCI DSS compliance.
These changes will give merchants more freedom in how they meet PCI DSS requirements by allowing them to implement cybersecurity protocols that fit their business.
How to Prepare for PCI DSS 4.0
Merchants do not want to “put off” preparing for PCI DSS 4.0 simply because it hasn’t taken effect. It’s also a mistake to believe that it’s not necessary to prepare if the organization was in compliance during its last audit. Here are some steps that will help you get ready for PCI DSS v 4.0.
- Don’t presume you’re in compliance
If you are already meeting compliance standards, don’t sit back and presume you’ll pass your next audit. You still need to provide documentation that validates your security protocols. The auditor will also request the quarterly reviews that indicate the practices are monitored and tested regularly. Start getting all pertinent documents together so you’ll be ready when the auditor arrives.
- Have accurate network diagrams
It’s crucial for organizations to have accurate diagrams of their networks. Not only do the systems that store, process, and transmit cardholder data need to be separated and secured from others on the network, you also need to know how the systems are interacting with protected data.
Creating a flow diagram will help you see which systems handle cardholder data and how it can be best protected from breaches. Some questions merchants should consider when creating their diagram are,
- How is the network built?
- Is there an adequate firewall around the card-processing systems, especially at the edge?
- Is the network internally segmented?
- Does the system have a multi-interface firewall?
- Are the multiple firewalls around the system/network?
If the answer is “no” to any of these questions the flow diagram will make it easier to correct any potential security problems that could be present during the audit.
- Understand potential risks
Since the basic principles of the 12 PCI DSS requirements aren’t expected to change, merchants will need to perform risk assessments at least once a year. Anytime any significant changes are made to the network, a risk assessment must be performed.
The purpose of a risk assessment is to identify any threats or potential vulnerabilities. It is considered taking a proactive approach to your cybersecurity and this will be important if a potential breach is detected or occurs. When the system or network is comprised, the business will be expected to show it performed a risk assessment. The risk assessment should include all technology, processes, and employees that interact with cardholder data.
- Perform an internal examination
Staying in compliance requires more than just an annual assessment. With the constantly changing threat environment, along with changes to the system/network, staff turnover, and regulatory variations a business can be out of compliance without realizing it.
To prevent a non-compliance issue, organizations need to monitor and test critical processes and systems regularly. For many businesses, this means quarterly testing. Running critical tests can be time-consuming, even for smaller businesses, but it is worth the effort to ensure you stay in PCI DSS compliance. Some of the penalties for non-compliance can include legal, federal, and municipal fines, along with a possible increase in card processing fees. Some of the data breach fines businesses might be forced to pay include,
- Merchant processor compromise fine: $5,000 – $50,000
- Card brand comprise fees: $5,000 – $500,000
- Forensic Investigation: $12,000 – $100,000
- Onsite QSA(Qualified Security Assessor) audit after the breach: $20,000 – $100,000
- Free credit monitoring for affected customers: $10 – $30 per card
- Card re-issuing penalties: $10 – $30 per card
- Security updates: $15,000+
- Lawyer fees: $5,000+
- Breach notification costs: $1,000+
- Technology repairs: $2,000+
The total possible cost of a security breach can range from $50,000 to $773,000 and higher. It is also important to note that not all of these fines will be applied to every merchant that experiences a security breach. These are only possible fines that can be assessed depending on the severity and time it took to report and repair it. However, the important point to remember is that performing regular assessments can prevent the need for any fines or other penalties.
- Contact an assessor throughout the year
A qualified security assessor (QSA) is available for more than an annual audit. They’re knowledge and expertise can benefit a business throughout the year. A QSA can ensure that as new security protocols and practices are implemented each one meets compliance standards.
QSAs will be able to point out any potential issues before it becomes a security problem. They are available to answer any questions, along with helping organizations implement the protocols correctly.
- Involve PCI DSS stakeholders
This applies to your flow diagram that should indicate where the systems handle credit and debit cardholder information. Once you have the basic flow diagram complete, involve staff and other business stakeholders. Often data is stored in areas not identified on the diagram and others can help resolve this. Some areas this can occur include,
- Errors that occurred during card processing or transmitting can store partial or complete cardholder data. An error log is usually created when this occurs and is rarely protected from breaches.
- Accounting departments may have unencrypted data stored for financial purposes. This information should be deleted or have security protocols implemented.
- Sales departments may accidentally have emails or print documents containing cardholder information. Since this information is beyond the scope of their job it can be a violation.
- Marketing databases might not be secure even if they have personal consumer information.
- Customer service representatives may write down information that is deemed protected. This can give non-authorized personnel access to restricted data.
- Spreadsheets are often created by administrative assistants that contain an executive’s personal card information for easy access. These spreadsheets can be easily viewed by non-authorized personnel creating a security breach.
When companies involve others in the flow diagram they are more likely to find hidden data that could present a security breach or result in an audit failure.
- Update documents regularly
There are several PCI DSS requirements that mandate documentation pertaining to cybersecurity to be updated regularly. It can also protect your business from steep fines if a breach occurs. Updated and accurately documented security protocols and practices will help the forensic auditor establish what security measures were in place and monitored regularly.
Documentation should also include a business charter that establishes the merchant as responsible for protecting cardholder data. The program implemented for PCI DSS compliance and its maintenance must also be included in the documentation. Protocols outlining how the employee responsible for compliance communicates with management. All of this must be documented for compliance.
Businesses with third-party vendors need to have documentation for each one. This will include written agreements that establish their need and responsibility to meet PCI DSS regulations. However, the organization is responsible for ensuring that all third-parties are compliant and documented for the assessor. If a breach does occur through a third-party the documentation can protect the business.
- Assign a compliance “leader”
Even businesses that are in compliance with PCI DSS 3.2 still need to do more to get ready for version 4.0 than going through a self-assessment questionnaire. Even though it is a useful tool, being able to answer “yes” on each question doesn’t guarantee compliance. To get ready for the PCI DSS 4.0 audit it can be helpful to assign an employee the task of being a compliance officer.
The compliance officer will need time and resources to perform the job properly but they will be able to correct any protocols and/or practices that could present a security risk. They will also meet with the auditor during the assessment. In order to perform their job, the compliance leader will need the following,
- Ability to understand technical terms often used by an auditor.
- Able to answer the auditor’s questions and respond to suggestions for security improvements.
- Have a PCI audit checklist, along with questions to ask the auditor.
- A copy of the previous year’s receiver operating characteristic (ROC).
- Documents on how the business, network, and systems are managing recent threats or identified vulnerabilities.
- Discussed non-compliance penalties with stakeholders.
- All event logs have been checked up to the date of the audit.
- Understand the 12 requirements for PCI DSS 4.0 compliance.
- Have a full understanding of the scope of their job as a compliance officer/leader.
Having one person in charge of compliance can simplify it, while also freeing up management for other business-related projects. However, upper management still needs to be aware of what if any potential security vulnerabilities exist. Failure to meet compliance ultimately falls on the head of the business.
While there will be changes with PCI DSS 4.0, it does not seem like it will require merchants to completely overhaul their current cybersecurity protocols. This doesn’t mean that you don’t have to take a few steps to prepare. The main standards are still requirements.
Whether you need an assessment or just have a few questions about PCI DSS 4.0, the experts at RSI Security are here to help.