To the lay-person, the PCI DSS can be a minefield and it can be difficult to know where to start. With version 4 having recently been released and stacked full of changes, we are here to simplify things.
In case you weren’t aware, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements written and regulated by the PCI council. The council was originally founded by the card schemes (American Express, Discover, JCB International, MasterCard and Visa Inc). The standard was created to make payments safer for consumers and to help merchants secure their card data environment.
The goals of the PCI DSS are as follows:
- Continue to meet the security needs of the payment industry.
- Promote security as continuous process.
- Increase flexibility for organisations using different methods to achieve security objectives.
- Enhance validation methods and procedures.
The PCI DSS supports your environment with protection from intruders, like securing your home from burglars. We hope you wouldn’t lock the front door and leave a window open; and so the standard aims to prevent gaps in your security.
The standard is updated every few years following feedback from the community and industry. This is to keep up to date with developing technology, progress in the payment industry and emerging threats.
The PCI DSS applies to all merchants who accept payments, regardless of the method of payment. The main twelve requirements are required to be met by all merchants. Level 1 and level 2 merchants (large organisations) are usually required to complete a Report on Compliance (RoC) to become PCI compliant. Merchants who are levels 3 and 4 (smaller entities) are eligible to self-assess by completing a Self-Assessment Questionnaire (SAQ).
The implementation of the controls in the standard not only improves the level of security of your environment, but it also reduces the risk of a successful cyber-attack. The consequences of a breach of cardholder data can be severe, including reputational damage and financial loss. Merchants are also liable for fines from the loss of cardholder data by the card schemes and potentially the Information Commissioners Office (ICO). Thus, the importance of keeping your customer’s data safe by implementing the standard.
Version 4 brings various changes to the standard. This includes additional clarifications being added to specific controls and supporting information to increase understanding and bring clarity to the requirements. New requirements have also been added to address new technologies and emerging threats, along with structural and formatting updates being made.
In March 2022, version 4 was released, but not all requirements are mandatory immediately. 64 new requirements were brought in with the new version, but only 13 are mandatory with immediate effect for version 4 assessments. The remaining new requirements will be best practice until 31st March 2025, to allow time for implementation. The previous PCI DSS version 3.2.1 will retire on 31st March 2024 after which merchants must be meeting the requirements of version 4.
With more businesses trading online than ever before, the security of your card data environment is vital. Don’t be the one to leave a window open for attackers.
Do you need assistance with getting up to speed on the new requirements? If you require help from IntaForensics specialist PCI DSS consultants, please contact us using the following link: https://www.intaforensics.com/contact-us/
There is no time to waste.
The new standard can be found here: