PCI DSS compliance: Is your business ready for PCI DSS 4.0?

PCI DSS compliance: Is your business ready for PCI DSS 4.0?

In 2030, the total volume on all payment cards is forecast to reach $79 trillion. Fraud losses? An equally staggering $49 billion, meaning roughly 6 cents per $100, according to the latest Nilson Report.

In the US, the situation seems especially dire. Over the next decade, payment card volume is expected to climb to nearly $19 trillion and fraud losses to $17 billion, or almost 9 cents per $100. Personally identifiable information sold on the dark web remains a major headache for card issuers. It’s often used to open new credit accounts with the specific intent to defraud. “Stolen American payment cards can be bought on the dark web for as little as $5.80, on average, and the US has the most stolen cards circulating,” Payments Dive reports.

The Covid-19 pandemic has also wreaked havoc on the already vulnerable payments environment, with more transactions carried out online or over the phone. In 2020, card-not-present fraud made up 68% of losses incurred by card industry merchants and acquirers. “Their fraud risk models were not built to handle the avalanche of first-time CNP authorization requests from valid cardholders,” Nilson analysts explain. “The shake-up enabled criminals to quickly seize the opportunity to activate cards previously stolen but lying dormant.”

It’s no wonder that PCI DSS (Payment Card Industry Data Security Standard) compliance has become a top-of-agenda issue for businesses of all sizes and sectors which handle sensitive financial information – and want to put cardholders’ minds at ease about sharing it. So in preparation for the official release of PCI DSS 4.0, let’s take a closer look at what PCI DSS is and how to make sure you’re on the right track to becoming (or remaining) PCI DSS compliant.

In a nutshell: what is PCI DSS compliance?

The Payment Card Industry Data Security Standardwas designed to bolster cardholder data security and the global adoption of consistent data security measures by providing a baseline of technical and operational requirements to shield card data from theft, loss, and misuse. The PCI DSS was first released in December 2004 in a bid to ensure interoperability between existing cybersecurity standards, leading to the formation of the Payment Card Industry Security Standards Council, or PCI SSC. Founded in 2006 by MasterCard, American Express, Visa, JCB International, and Discover, the consortium oversees the development, management, implementation, and promotion of the PCI DSS.

All entities and activities involved in payment card processing are covered by the PCI DSS. That means merchants, processors, acquirers, issuers, service providers, and virtually any business that stores, processes, or transmits cardholder data or sensitive authentication data. The standard extends to primary account number, cardholder name, expiration date, service code, full track data (magnetic-stripe data or equivalent on a chip), CAV2, CVC2, CVV2, and CID codes, as well as PINs and PIN blocks. Merchants fall into one of the four PCI DSS compliance levels, based on the volume of transactions they handle over 12 months.

The twelve commandments: PCI DSS requirements

According to the PCI DSS v.3.2.1 published in May 2018, there are 12 PCI DSS controls across six main areas that businesses must implement to protect the payment card ecosystem.

Build and maintain a secure network and systems

  • Install and maintain a firewall configuration to protect cardholder data – protect your systems from unauthorized access from untrusted networks.
  • Replace vendor-supplied defaults for system passwords and security parameters – fend off attackers who use vendor default passwords and settings to compromise systems.

Protect payment card and cardholder data

  • Protect stored cardholder data – use encryption, truncation, masking or hashing to make cardholder data unreadable and unusable to intruders.
  • Encrypt transmission of cardholder data across open, public networks – encrypt data during transmission over networks easily penetrated by hackers.

Design a vulnerability management program

  • Protect all systems against malware and regularly update anti-virus software – use anti-virus software on all systems commonly affected by viruses, worms, and Trojans.
  • Develop and maintain secure systems and applications – fix system vulnerabilities by installing appropriate vendor-supplied security patches.

Implement strong access control measures

  • Restrict access to cardholder data on a need-to-know basis – ensure that critical data can only be accessed by personnel who need it to perform their jobs.
  • Identify and authenticate access to system components – assign a unique ID to each person with access, so actions taken on critical data can be tracked.
  • Limit physical access to cardholder data – reduce the risk of individuals accessing devices or data and removing systems or hard copies.

Regularly monitor and test networks

  • Track access to network resources and cardholder data – have the right logging mechanisms in place to prevent, detect, and minimize the impact of a data compromise.
  • Regularly test security systems and processes – check system components, processes, and custom software frequently to ensure that security controls are updated.

Create an information security policy

  • Have a policy in place to address information security for all personnel and make sure that everyone is aware of their role in translating it into practice.

PCI DSS best practices: seven ways to boost compliance

Achieving and maintaining PCI DSS compliance should be a shared goal and responsibility across the organization. Here are some tips and best practices, courtesy of PCI SSC, to help you get your bases covered.

1. Design a compliance program that works for your business

“For a compliance program to be sustainable, it should be implemented into business-as-usual activities as part of the organization’s overall security strategy,” the council advises. This way, it’s easier to keep an eye on the effectiveness of security controls and make sure you don’t fall out of compliance between PCI DSS assessments.

2. Find the right metrics to measure performance

Develop a set of metrics based on your organization's specific needs, goals and objectives, operating environments, risk priorities, and compliance program maturity to assess the effectiveness of security initiatives. If needed, reallocate resources, and demonstrate the return on security investment to stakeholders.

3. Set up workflows and assign ownership for security activities

Establish a formal PCI DSS compliance program that includes all the people, processes, technologies, policies, and procedures that are key to maintaining your organization’s PCI DSS compliance. Then assign an individual, preferably management-level, to coordinate relevant resources, projects, and costs.

4. Remember: compliance is not the same as security

Remember that the PCI standard is nothing but a minimum set of security requirements for protecting payment card account data. To make your business bulletproof, work towards building a culture of security and a shared sense of duty to protect information assets and IT infrastructure – and think of compliance as an added bonus.

5. Detect failures fast and act even faster

When it comes to card and cardholder information security, any control failure can qualify as a formal security incident that requires a formal response. At a minimum, response processes should include reducing incident impact, restoring controls, performing root-cause analysis and remediation, implementing hardening standards, and enhancing monitoring.

6. PCI DSS compliance is not a check-the-box exercise

Cyber-attacks continue to evolve and become more sophisticated. So make sure your security controls follow suit and keep pace with the ever-changing threat landscape, organizational transformations, and new business initiatives. Plus, always check the impact new processes and technologies have on the organization’s security posture.

7. Keep an eye on third-party service providers

Vulnerable third-party service providers can easily become an entry point for malicious actors looking to exploit your data. Ensure they understand their roles and responsibilities in meeting PCI compliance requirements and set up processes to monitor their compliance status to determine whether a change in status requires a change in the relationship.

Getting PCI DSS compliant: key milestones explained

To get started on your PCI DSS compliance journey, you must first determine your organization’s PCI DSS compliance level. If you handle less than 20,000 transactions annually, you classify as Level 4. Level 1, Level 2, and Level 3 businesses process over 6,000,000 transactions, 1,000,000-6,000,000 transactions, and 20,000-1,000,000 transactions per year, respectively.

Next, fill in the self-assessment questionnaire (SAQ) that best describes how you accept payment cards. A series of yes-or-no questions for each applicable PCI DSS requirement, SAQs function as PCI DSS compliance checklists for self-evaluating compliance and uncovering potential security gaps and exploitable vulnerabilities.

Once you’ve eliminated any security blind spots you’ve identified during self-assessment, you can formally attest your compliance. PCI Attestation of Compliance (AoC) is issued by the Qualified Security Assessor (QSA) as documented evidence that your organization upholds the necessary security best practices to protect cardholder data.

PCI DSS 4.0: what to expect and when?

“Changes to the PCI Data Security Standard (DSS) coming (…) are significant, and do something very important in that they move compliance from an audit-driven, one-time event, to a continuous improvement process aimed at best securing payments,” explains David King, CTO at Flywire and member of the PCI Security Standards Council. Scheduled for release in March 2022, the security standard will see major updates in four areas.

There will be a stronger emphasis on anti-malware measures, spanning not just how organizations protect the card data environment but themselves. Businesses will be encouraged to approach compliance as a continuous process instead of scrambling to pass the annual PCI DSS audit. Validation methods and procedures are expected to require more data and become more stringent, stretching both assessment scopes and IT budgets.

The standard is moving to adopt NIST password guidance, which is a lot stronger, and forces multi-factor authentication for every touchpoint. There are also stronger transaction authorizations that we’re starting to push, such as 3D Secure or 3DS protocols, which provide an additional layer of security involving customer authentication,” the CTO says. In the same breath, PCI DSS 4.0 will increase encryption standards along with monitoring, logging, and detecting protocols.

End-to-end encryption, zero-knowledge authentication, total data, and access control: get PCI DSS 4.0-ready with Tresorit

Easy to set up and integrate into your workflows, Tresorit protects your files in the cloud with end-to-end encryption. With a zero-knowledge authentication scheme where your password never leaves your device, we keep you in control of your most confidential security information. Encryption is secured by unique randomly generated encryption keys that are never sent to our servers in unencrypted form. Public key cryptography guarantees that even Tresorit can’t access the shared keys. This means that the contents of your files stored in Tresorit can’t be modified without your knowledge, even if somebody were to access our servers.

Tresorit allows you to implement data protection measures while collaborating on files, such as controlling who has access to personal data, logging file activities, and creating internal security policies for data management. Tresorit Business Account admins can apply policy templates to a set of users, create different policies for each template, and modify these templates at any moment. Plus, admins can decide and monitor which devices are allowed to be used to access files within the organization and from where users are allowed to log in to their company account to safeguard business-critical documents, such as payment card information.