If you accept credit or debit cards at your business you are required to follow specific regulations. Known as the Payment Card Industry Data Security Standard (PCI DSS ) these regulations were created by Mastercard, Visa, American Express, Discover, and JCB International. The goal of being in compliance with the regulations is to protect credit and debit card information from fraud and data breaches.
The standards are governed by the Payment Card Industry Security Standards Council (PCI SSC). What’s surprising is that the governing council does not have the legal authority to require compliance, even though they created the standards. Merchants are still required to be compliant with PCI regulations by federal law. Being certified shows customers that you care and are able to safeguard their personal information. This builds trust and also company profits.
Since PCI v 1 was introduced in 2004 there have been two additional versions released. This is to keep the standards current with the latest technological advances. Now, late in 2020 PCI 4.0 will be the new set of standards. Many retailers are wondering what is PCI v. 1.0 and how will it affect their business. In this guide, you’ll find out everything you need to know to meet the upcoming compliance standards.
Assess your PCI compliance
What is PCI 4.0?
PCI 4.0 is the set of standards merchants are required to meet to be in compliance with federal law. It’s the fourth version of the standards created by the banking and credit card industry.
Even though the regulatory council can’t penalize you if you’re non-compliant, it is still required by federal law. Certification for PCI 4.0 establishes that your business has implemented firewalls, all data transmissions are encrypted, and anti-virus software is installed and maintained. Access to protected data must all be limited across networks and platforms.
This is a generalization of what PCI 4.0 standards are. However, the latest version also includes some new ones. Before you can understand what the new changes mean for your business, you need to be familiar with the 12 current requirements.
Requirements for PCI DSS Certification
The PCI SSC has 12 standards merchants must meet if they handle cardholder information. Regulations also apply to how a secure network is maintained. To simplify the requirements the PCI SSC has six categories, each with a few subcategories. To be in compliance all of the standards for each one must be met.
Have a secure network
A firewall must be created, installed, and maintained. It must be able to block unauthorized access to personal protected information.
The passwords to access the systems/networks must be original. If businesses are using ones supplied by the vendor, they are not meeting compliance standards.
Cardholder data must be secure
All data collected must be protected against breaches.
Any information transmitted over the network must be encrypted.
Manage any network vulnerabilities
Anti-virus software must be implemented and regularly maintained.
Businesses must develop secure systems and applications and provide regular maintenance.
Control Network Access
Access to personal data must be limited to only those that need it to perform their jobs.
Anyone with network access must have a unique password or i.d.
All physical access to private data must be restricted.
Monitor and test the network
Access to data and resources must be monitored and tracked across networks.
Security protocols and systems must be maintained and tested regularly.
Policy detailing information security
Businesses must have a policy in place detailing how employees are to maintain data security.
These standards all apply to how credit and debit cardholders’ private information is kept secure. Some businesses might already have the necessary security protocols in place, while others are starting from the ground up. Creating and implementing security measures can be time-consuming and expensive for some businesses, but a licensed expert can help.
These standards will apply to PCI 4.0 compliance, along with some new ones. While the exact verbiage concerning the new standards hasn’t been released yet, the council has announced a few changes that will apply to all businesses and organizations that accept credit and debit cards.
What’s New in PCI 4.0
Emma Sutcliffe, the council’s Global Head of Standards stated that there are not any major changes to the 12 main requirements for PCI certification. She goes on to say that the new requirements will focus on addressing the constant security threats to cardholder data, while also allowing businesses some flexibility in how they choose to make and keep their networks secure.
In simpler terms, businesses will still need to be PCI DSS certified but they will be allowed some leeway in how they choose to meet compliance standards. Merchants won’t have to meet every letter of the standard only to be able to demonstrate that they have the protocols able to meet the regulations. One example pertains to password security.
Businesses are currently required to have employees change theirs once a month. Under PCI 4.0, stronger passwords can be used, along with strictly managing user access and having a multi-level identification process. With these protocols in place, a business can allow employees to keep the same password over several months and still be in compliance.
What PCI 4.0 doesn’t mean is that businesses must change the security approaches they currently use – as long as they’re validated. It only allows you to customize your security protocols to better fit the needs of the business and your customers. All businesses will still need to be in compliance with PCI DSS. This means going through the certification process.
What is PCI DSS Certification
PCI DSS certification shows customers that you are able to protect their data. It builds trust between merchants and their clients. The certification also indicates that you are meeting the regulations required by the government. While all merchants need to meet the twelve standards, how they are certified can vary.
There are four compliance levels and they’re based on the number of debit or credit card transactions a business processes annually. The level indicates what a business needs to do to stay in compliance.
Level 1: 6 million + transactions per year
Merchants that process over six million debit and/or credit card transactions a year must be audited once a year. A certified auditor must perform the audit. Additionally, a PCI scan is required every quarter. An ASV (Approved Scanning Vendor) must perform the scan.
Level 2: 1 – 6 million transactions per year
Any business that processes one to six million debit and/or credit card transactions per year is required to perform an SAQ ( Self-Assessment Questionnaire). A PCI scan might also be necessary once a quarter.
Level 3: 20 thousand to 1 million transactions per year
If your business is processing 20 thousand to one million debit and/or credit card transactions a year they will need to have a yearly SAQ assessment. It might also be necessary to have a quarterly PCI scan too.
Level 4: 20 thousand transactions per year
Even small businesses that only process 20 thousand debit and/or credit card transactions per year still need to do a yearly SAQ assessment. PCI scans each quarter might also be required to stay in compliance.
As you probably noticed the more transactions your business processes the stricter the guidelines to remain in compliance. It should also be mentioned that the number of transactions that apply to the level must be processed in the real world. It does not apply to cryptocurrency.
Why Businesses Need to Be PCI DSS Compliant
We’ve already been mentioned several times that PCI certification builds trust with customers. It shows them that it is safe to use their debit and credit cards at your business. However, this is not the only reason merchants want to be in compliance with the council’s standards.
PCI standards are in place to prevent data breaches. If one occurs, it can be devastating to a business’s reputation and cost them financially. Not only are there state laws requiring organizations that handle personal information to have adequate security protocols in place, but there are also federal laws as well.
Both state and federal laws require that merchants notify all parties affected by a data breach within thirty days. Failure to do so will result in fines. Anyone that tries to cover up a breach in security can face up to five years in prison.
One of the toughest federal regulations regarding how businesses handle a security breach is the Gramm-Leach-Bliley Act (GLBA). This act applies to all financial institutions that manage personal protected data.
There are a few factors that go into determining the penalty for a data breach. If it’s the first time, companies might only have to pass an assessment test. If this isn’t the first breach or if it’s found that adequate security measures weren’t in place, the penalties will be stiffer. These can include fines up to one million dollars, along with the possibility of jail time. Businesses might even be required to discontinue accepting debit and credit cards.
Many businesses forget to consider the legal ramifications from a data breach. Lawsuits, many of them class-action, are expensive to litigate in court. The cost can go higher if the business loses the civil case.
With reasons like these, it’s not hard to understand why it’s important for businesses to meet PCI standards.
Protect Data with PCI 4.0
Threats to personal data are evolving constantly. This means that security measures must stay ahead of any potential threat. To protect data and prevent breaches, your security protocols need to be maintained and changed as needed. If the threats are changing so should your system.
The PCI 4.0 standards are changing to meet these threats. While the same main regulations are still in place, businesses can be more flexible about how they interpret the standards. This freedom allows organizations to create a cybersecurity system that best meets their needs. The council understands that no two businesses have the exact same security needs.
Whether you want to change your current security system or run an assessment of your current one the experts at RSI Security are here to answer any questions. RSI Security helps businesses become PCI DSS compliant with the most up-to-date standards including Version 4.0. Speak with one of our Qualified Security Assessors (QSA) today.