Companies that use and transmit credit and debit card information must meet the Payment Card Industry Data Security Standard (PCI DSS) regulations. These standards were created and are regulated by the Payment Card Industry Security Standards Council (PCI SSC). The council is composed of the five major credit card companies: Mastercard, Visa, American Express, Discover, and JBC.
Merchants have been familiar with PCI DSS regulations for several years. Version 3.1 was in use until being replaced in 2016 by PCI DSS 3.2. By the end of 2018, the standards had been updated again. The SSC has created version 4.0 and by November 2020, businesses will be expected to be in compliance.
Like other versions, there are changes in PCI DSS 4.0. In this guide, you will learn what these changes are and how your business could be affected.
PCI DSS Requirements
Before a merchant can understand and implement the PCI DSS 4.0 changes they need to be familiar with the twelve security controls that are already required. The main framework of these requirements remains the same in version 4.0.
The twelve control criteria are as follows:
- A firewall must be installed, maintained, and capable of protecting cardholder data.
- All passwords for systems and other security parameters must be unique, not third-party supplied.
- All cardholder data stored on-site or by a third-party vendor must be protected from breaches.
- If cardholder data is transmitted across public networks it must be encrypted.
- Antivirus software must be implemented, regularly run, and updated.
- Secure systems and applications must be implemented and maintained.
- Cardholder data must be restricted to a “need-to-know” basis. Only employees that need the information in the scope of their job should be able to access cardholder information.
- All employees with network/system access must have a unique i.d.
- Physical access to cardholder information must be restricted.
- Access to the network and cardholder information must be tracked and monitored.
- All security systems must be regularly tested.
- Implement and maintain a policy that addresses information security.
As mentioned earlier, the council is not changing the fundamentals of the 12 standards. However, the council is trying to meet some new cybersecurity goals which are why there are PCI DSS 4.0 changes going into effect in late 2020.
What are the PCI DSS 4.0 Changes
The specific changes to PCI DSS 4.0 evolved from the SSC’s request for comments (RFCs) that went out to PCI SSC stakeholders. The RFCs were reviewed and discussed by the council and helped to outline the goals they are hoping to accomplish with the upcoming changes.
The feedback from stakeholders covered existing standards that need to evolve to meet advances in technology. Risk mitigation techniques, along with allowing businesses greater flexibility to use a broader range of methods and controls to meet the security standards. To address these RFCs, the SCC has four goals for PCI DSS v 4.0.
- Ensure the standards meet the payment industry’s security needs.
- Add flexibility and support new methodologies that meet security standards.
- Establish security as a continual process.
- Update/Improve methods and procedures used for access validation.
As noted, these changes focus on four specific areas that include authentication, encryption, monitoring, and critical testing. Here is what could change in these areas.
PCI DSS 4.0 changes may focus more on NIST MFA guidelines for password authentication. Using multi-factor authentication would require an employee to provide two pieces of i.d. before gaining access to the system or application. The SSC might also focus on businesses’ use of a 3DS Core Security Standard for authorized credit/debit card transactions. This would allow merchants to implement pluggable authentication options while still protecting cardholder information and keeping with the business’s changing transaction methods.
Network security has always been paramount. Cyber threats and breaches are becoming more common, and the PCI DSS 4.0 changes will address this. This includes malicious code which is becoming one of the largest threats to cybersecurity. Once code is introduced to a network cardholder information can be stolen as it is transmitted. To prevent cybersecurity breaches, PCI DSS v. 4.0 will give merchants guidance on the best practices that will keep their networks fully protected.
As technology advances many merchants are turning to pluggable options. This allows for faster processing of payment information without having to be physically at the network’s location. Sales can increase out-in-the-field but so can security risks. PCI DSS 4.0 is expected to address these potential risks for security breaches.
Critical Control Testing
Designated Entities Supplemental Validation (DESV) requirements are part of previous PCI DSS versions. Usually only applied to organizations that experienced a security breach, regular critical control testing and additional protocols could become standard for all merchants in PCI DSS v. 4.0.
With these changes, businesses will have more freedom in how they protect their network and cardholder information while still meeting PCI DSS regulations.
Who Will PCI DSS v. 4.0 Apply To?
PCI DSS requirements apply to any merchant, business, or organization that processes, stores or transmits consumer data from any of the five major credit card companies. There are different compliance levels based on the number of annual completed transactions. These levels are used to determine the amount of security a merchant needs for compliance, along with the amount of security and validation needed to pass the PCI DSS assessment.
The four merchant levels are:
Level 1 applies to merchants that have 6 million-plus completed transactions annually across all channels. There is an exception for global merchants that are classified as Level 1 only in a specific region. The highest level rating will apply in all areas they conduct transactions, even if some places may only process 1 million transactions annually.
Level 2 ratings apply to any merchant that conducts between 1 and 6 million annual transactions across all networks and channels.
Level 3 focuses on e-commerce and online merchants. Any that process 20,000 to 1 million transactions across all channels will be placed at this level.
Level 4 is for online merchants that have less than 20,000 transactions across all channels annually. It also applies to businesses that process less than 1 million annual transactions.
Since the number of transactions processed by a merchant annually can change, an annual audit is conducted to ensure that security standards are being met and the company is listed at the correct level. If the company fails the audit penalties can occur.
PCI DSS Non Compliance Penalties
Merchants that are found to be non-compliant with PCI DSS regulations can face penalties and fines. It’s not only the loss of trust between a merchant and consumers if a security breach occurs, but monetary fines and even potential prison time are also possible penalties.
Some of the penalties that can be leveled against a business found to be non-compliant include,
Fines for non-compliance can range from $10 to $1,000 per month and higher. These fines will appear on the monthly statement from the payment processor, typically listed as a “PCI non-compliance fee”. The amount of the fine will depend on the severity of the breach, how quickly it was discovered, reported, and resolved.
- Forensic audits
Once a breach occurs the organization must give a forensic examiner all documents pertaining to compliance. The examiner will check to see if the breach was a result of non-compliance or failure maintaining other security protocols. The organization will be responsible for the cost of the audit.
If any or all compliance documentation is absent the examiner will be required to perform an assessment of all security controls in place. The organization will also be responsible for this additional fee.
- Payment restrictions
Credit and debit card payment brands can restrict processing transactions by non-compliant merchants. These restrictions are usually removed once compliance has been met. In some cases, the payment brand can terminate all services if the merchant fails to meet the required standards. This would effectively limit the merchant to “cash-only” sales.
- Reactive compliance
Merchants need to be aware of the penalties that can be possible if new technology is implemented, without considering if compliance standards will still be met. If a breach occurs and the new technology is not up to the requirements, penalties can be reactive back to the initial installation date.
These penalties apply to all merchants, even those at Level 4 that perform fewer than 20,000 transactions annually. Payment Card Industry data indicates that Level 4 merchants can be the most vulnerable to a cybersecurity threat. This is thought to be due to the low level of security required to protect their systems. The PCI SSC noted in 2016 that 71 percent of hackers targeted small Level 4 rated businesses. This is why regardless of a merchant’s level rating it is important to stay in compliance with the required security standards.
Getting Ready for PCI DSS 4.0 Compliance
Avoiding fines and penalties for non-compliance is important. Now with PCI DSS 4.0 changes coming in a few months, businesses should begin taking steps to ensure they are ready. There are six steps that businesses can take now. These were compiled from assessing past security breaches and feedback by forensic auditors.
- Delete all data from the system that is not necessary. This applies to any data that could be considered sensitive. Removing it will reduce the chances of it being compromised.
- Identify all common points of access and constantly monitor these for potential breaches or compromises in the security system.
- All payment card information applications must be secure against hackers. This involves checking for any weaknesses in the system and correcting them immediately.
- Monitoring access to the system should be constant for merchants. Access to information outside of an employee’s job details needs to be restricted. Monitoring and security protocols also need to be documented.
- Companies need to determine which information is deemed to be highly sensitive, like primary account numbers. This data should have added security protocols protecting it. It is also important to document these protocols.
- All protection controls should be tested and monitored regularly. This also allows merchants to finalize any additional protocols before the audit.
Simply by implementing these six steps, businesses can ensure that they’re in compliance and ready to meet any changes that might be coming with PCI DSS 4.0.
Technology is changing and this affects how organizations protect cardholder information. In response to advancing technology PCI SSC is preparing to release the next version of its required standards. PCI DSS 4.0 is slated to give merchants more flexibility in how they protect data but the original 12 standards will remain the same.
RSI Security is here to help merchants prepare for the changes coming with PCI DSS 4.0. Whether it is improving existing security protocols or implementing new ones, our experienced auditors are ready to answer any questions.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.