Any business or organization that accepts and/or processes credit and debit cardholder information should already be familiar with PCI DSS v. 3.2.1. Merchants are expected – and required – to meet this standard. This has been the case since 2018.
The Payment Card Industry Security Standards Council (PCI SSC) is responsible for creating the standards merchants must follow to protect cardholder’s personal information. These standards must be regularly updated to keep up with advances in technology that hackers exploit to breach systems.
The requirements merchants must meet to be in compliance with the Security Standards Council are changing again. PCI DSS 4.0 is expected to be in effect by November 2020. Businesses that are already in compliance with PCI DSS v. 3.2.1 shouldn’t need to spend a lot of time and resources updating their standards. Merchants that are still working on their cybersecurity might find it harder to be in compliance.
In this guide, merchants will learn what they can expect with PCI DSS 4.0 and what it will mean for their business.
What is PCI DSS 4.0?
Payment Card Industry Data Security Standard (PCI DSS) was created by the International Security Standards Council to increase the controls merchants have around cardholder data that are designed to prevent breaches and fraud. The council was formed in 2006 by Discover, American Express, Mastercard, JCB International, and Visa Inc. These financial bodies equally govern and execute the standards decided on by the council.
As technology advances, the council updates the standards merchants need to meet to be in compliance. Since version 3.2 was introduced in 2016, and later updated in 2018, new threats have emerged targeting weaknesses in the payment systems and how cardholder information is processed. One example of new weaknesses that can be exploited is the growing popularity of contactless payments. This includes payments processed by merchants using commercial off the shelf (COTS) mobile devices.
Other areas that could pose potential security threats are cloud storage, software with new practices, and a growing dependency on third-party companies that are part of the payment or data storage process. The need for third-party security is one of the areas the council addressed in PCI DSS 4.0.
Assess your PCI compliance
What Are PCI DSS Standards?
There are 12 requirements that need to be met for PCI DSS compliance. The majority of these standards have remained the same, only four require organizations to make possible changes to their cybersecurity protocols. However, it is also important that merchants focus on all 12 standards and not only the four addressed in the new PCI DSS version. These standards are,
- A firewall must be installed and maintained to protect cardholder data.
- System passwords and defaults must be original and not vendor supplied.
- All stored cardholder data must be protected.
- When cardholder data is transmitted across open networks it must be encrypted.
- Antivirus software must be updated and maintained regularly.
- Cybersecurity applications for systems must be created and maintained.
- Protocols are in place that restricts access to cardholder’s data to a “need-to-know” basis.
- Anyone with access to data must have a unique identification i.d.
- All physical access to cardholder data must be restricted.
- Access to cardholder data and network resources must be tracked and monitored.
- 11 Systems and security processes must be regularly tested.
- Organizations must have a policy that addresses information security protocols.
These standards focus on implementing and maintaining adequate cybersecurity protocols that are designed to protect cardholders’ personal information. The standards from version 3 of the PCI DSS regulations have remained fundamentally unchanged, merchants are still expected and required to protect cardholders’ personal information. However, there are a few changes in the new version that will help businesses better manage and protect credit and debit card data.
The New Changes to PCI DSS 4.0
Even though the basic premise of the 12 standards remains the same, the council has made adjustments to four. Some businesses might benefit from the changes, while others may remain unaffected. The reason for the changes that apply to authentication, encryption, monitoring, and testing is due to the growing support from merchants to introduce or change new payment initiatives.
Payment methods are changing, as well as how data is stored and managed. The 4.0 version of PCI DSS addresses these issues and advances in technology.
Authentication
The Europay, Mastercard, and Visa consortium (EMVCO) have been with PCI SSC to improve authentication standards to log-in and payment processes. With the growing number of merchants that use third-parties or contactless payments greater focus is being put on card user and transactional authorization.
Plug-ins that meet cybersecurity protocols will now be an option. These plug-ins and any third-party contractors must also meet the 12 standards outlined in PCI DSS 4.0. What this change does is allow merchants to use personal devices to conduct transactions using credit and/or debit cards.
Encryption
Protecting cardholder data has become paramount, especially after several large breaches were globally publicized. These breaches include Target, Capital One, and Facebook. PCI DSS 4.0 will address these network threats. Malicious code is one of the major threats to systems and contactless payments can be especially vulnerable. The new version of PCI DSS standards will provide merchants with guidance and help them implement adequate practices to fully secure their network.
Monitoring
Technology is rapidly advancing and this benefits merchants and hackers. As more merchants are moving to pluggable options to increase sales, it is also opening up opportunities for hackers to get in. The updated standards require that merchants review their cybersecurity protocols and ensure that they meet all regulations and standards. This includes protocols for newly implemented technology.
Testing
Critical control testing has been a requirement of all previous versions of the PCI DSS standards. However, many requirements of the Designated Entities Supplemental Validation (DESV) standards are also included. These standards work with PCI DSS v. 3.1 and guide merchants in securing cardholders’ information.
The requirements for PCI DSS 4.0 compliance are similar to the previous version, however, it does give merchants the opportunity to implement new payment methods, while also ensuring that cardholders’ data is secure.
PCI Non-Compliance
Keeping cardholders’ data secure is important for several reasons. If customers’ personal information is breached, a lack of trust between them and the company will develop. This is only one of the consequences a merchant will face if found to be non-compliant with PCI standards.
Fines
Non-compliance for PSI DSS regulations can range from $5,000 – $100,000 per month. The fines will be applied by the affected card credit companies. The amount of the penalties will depend on the number of clients and transactions that were affected, along with the amount of time – if any – the company was out of compliance.
Compensation Costs
Businesses can still be penalized if a cybersecurity breach occurs, even if they’re in compliance with PCI DSS regulations. A merchant could be responsible for paying a customer’s fees for information monitoring and theft insurance if that client was affected in the security breach. This can be expensive for businesses depending on the number of customers affected by the breach.
Infringement Costs
Penalties and fees due to data breaches can result in the termination of the contract/relationship a merchant has with the payment/bank processor. This would result in the credit/debit card issuer refusing to pay the merchant for goods/services purchased by the affected cardholder. Other penalties can include a $50 – $90 fine per cardholder that was affected by the breach.
Legal Consequences
If a business suffers a data security breach it could be held liable in a civil action lawsuit. Two examples of companies being held liable are TJX ordered to pay $40.9 million in 2007 and Neiman Marcus in 2014 where the breach affected an estimated 1.1 million cardholders.
Federal Audits
The Federal Trade Commission (FTC) can decide to not only impose restrictions on a business that is non-compliant with PCI DSS regulations, but it can also conduct federal audits throughout the year. Audits are time-consuming and expensive. The cost is often billed to the merchant adding to the overall expense.
Not implementing and maintaining adequate security protocols around cardholder data can also result in a lack of trust between the customer and merchant. If consumers don’t believe that their personal information is safe at a business, they are likely to go to a competitor that hasn’t been sanctioned for lapses in cybersecurity. This will lead to a loss in revenue that can have devastating effects on the business.
When Does PCI DSS 4.0 Take Effect
A tentative date of November 2020, has been set. This is when businesses that accept credit/debit cards, along with companies that manage cardholders’ information must be compliant with PCI DSS 4.0. There are also dates throughout the year where merchants should be updating their systems and getting ready for compliance audits.
One of these is scheduled for June 2020 but this can change. Compliance audits are also scheduled to begin at this time. Even though a complete set of dates for audits and compliance has not been set, the penalties for non-compliance with PCI DSS v. 3.2.1 still apply.
PCI DSS 4.0 Summary
Merchants that are already in compliance with PCI DSS 3.2.1 shouldn’t have problems meeting the new standards. Some companies might find it easier. Merchants already in compliance no longer what to provide justification for their cybersecurity protocols, only provide documentation that the measures are effective. This gives businesses more control over how they protect mobile and other devices that are connected or have access to the network. If their security measures are deemed adequate the company will not be required to make any changes.
However, companies that are not in compliance may find it more difficult to meet standards. For some, this may mean upgrading their cybersecurity protocols and implementing new ones. RSI Security helps businesses become PCI DSS compliant with the most up-to-date standards including Version 4.0. Speak with one of our Qualified Security Assessors (QSA) today.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.