PCI compliance and PA DSS are a set of standards, ensuring the security of sensitive cardholder data. If your payment system handles or even “touches” credit card data, you have to be PCI compliant.
After the pandemic the volume of electronic payments increased. As did the level of credit card fraud (both consumer and merchant). So, companies need to implement more advanced fraud protection measures. And PCI data security standard should be updated accordingly.
General PCI compliance recommendations
According to the PCI standards council, in order to ensure payment data, a business should perform the following steps.
- Reduce sensitive cardholder data exposure to minimum;
- Use strong, hard-to-hack, non-intuitive passwords;
- Update and patch its payment software in time (and on a regular basis);
- Encrypt payment data using advanced technologies;
- Be extremely careful when selecting payment partners.
So, the draft new PCI requirements mostly follow these recommendations.
The key PCI compliance issues addressed in the new standard
Presently, the draft PCI DSS v4.0 is available for reviews and comments. And it turns out, that the above-listed guidelines still generate most comments and feedback from reviewers. Based on analysis of feedback from the last year’s request for comments, the reviewers commented a lot the following issues.
- Protection of sensitive card data through encryption.
- Identification of users and authentication of access. Specific issues in this context include, again, usage of strong passwords, two-factor authentication, and keeping access history logs.
- Restriction of access to cardholder data.
- Careful testing of security systems and processes.
- Adequate and sound security programs and policies.
The focus of PCI compliance requirements
The overall strategic purposes of updated credit card security standards are as follows.
- Mitigation of new risks and threats for payment data;
- Making data security protection an ongoing process;
- Ensuring flexibility of PCI DSS compliance routine.
The latter point is extremely important. Reason: the new standard makes PCI certification easier for companies implementing different security technologies. While being technologically diverse, they all can fulfill PCI requirements.
So, when will new standard enter into force?
Well, the standard currently in force is PCI DSS v3.2.1. The updated version is PCI DSS v4.0. According to the PCI standards council, the new standard needs a few more rounds of revisions. With all formal procedures and testing taken into account, PCI DSS v4.0 will replace the current version by 2025.
Is PCI compliance relevant only for large companies?
No. Even a level 4 merchant with relatively small processing volumes has to complete a special self-assessment questionnaire (SAQ). And this SAQ is regularly updated. As for PCI DSS level 1 merchants, they will have to follow new PCI audit routine, whatever it is going to be. So, the update of PCI DSS will impact most merchant services industry players.
If you accept electronic payments and operate with sensitive cardholder data, PCI compliance is one of your major concerns. As of now, companies that handle such data, should follow the requirements of PCI DSS v3.2.1. If you need more information on your PCI status and exposure, you can get it from a PCI auditor.
Besides that, you are free to address our payment experts at UniPay Gateway to learn how PCI DSS applies to your specific use-case.