Any organisation that takes payments from customers where transactions involve storage, processing or transmission of cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Introduced in 2004 by Visa, Mastercard, American Express, JCB International, and Discover Financial Services, the Standard provides 12 rules to help organisations to protect their customers’ sensitive payment card data.
An updated version of the Standard was released at the end of March 2022, which provides merchant organisations two years to transition to. This provides time to make the necessary changes to their payment security processes and enable them to maintain compliance with the new version of the Standard.
Why is the Standard changing?
PCI DSS 4.0 has been introduced to account for technological advances in the payments arena, accelerated digital service adoption, the increase in remote working driven by the pandemic, and evolving cyber threats which demand more robust protections around the card data environment.
What are the main changes?
While the twelve core requirements remain the same, PCI DSS v4.0 introduces three major changes including customised implementation of the Standard for level 1 merchants, mandatory multifactor authentication, and continuous security testing. The requirement to encrypt cardholder data has also been extended to trusted networks as well as public networks.
- Continuous testing
Cyber security threats are constantly evolving and a card data environment that was compliant during the annual audit may become vulnerable to a new form of attack. In response, PCI DSS 4.0 requires Qualified Security Assessors (QSAs) to test merchants’ environments, processes and infrastructure over an extended period, rather than relying on annual audits, which only provide a ‘snapshot’ of security compliance.
- Passwords are no longer enough
Password vulnerabilities have been well documented. To comply with PCI DSS 4.0, all access to the card data environment must now be protected with multifactor authentication (MFA). Passwords for accessing payment and control processes must also be lengthened and strengthened by using at least 12 characters and including a mixture of numbers and letters.
- Increased flexibility for Level 1 merchants
Rather than being prescriptive about how enterprises comply with PCI DSS, version 4.0 allows Level 1 merchants to design their own data security and access controls to comply with the core intent of the Standard (which is to protect customers’ payment card data). This affords enterprises far greater flexibility to adopt new technology or enhanced security solutions that align with their particular operational requirements, while keeping pace with emerging consumer payment methods and evolving threats that face their payment ecosystem.
Because the customised approach to PCI DSS 4.0 compliance must be documented by a QSA, Level 2 – 4 organisations, which handle fewer than 6 million payment transactions a year and conduct a Self-Assessment Questionnaire (SAQ), are not eligible to use a customised approach. Level 2 merchants, which process between 1 million and 6 million transactions a year, must also complete a Report of Compliance (RoC).
Arguably the biggest change within PCI DSS 4.0 is that the Standard is moving away from a prescriptive tick box approach to compliance to a focus on the outcome of the customised controls that are implemented.
Compliance is subjectively assessed by a QSA to ensure that it meets the intent of the requirement. As an example, requirement 188.8.131.52 of the updated Standard requires that managers ensure that employees have adequate security awareness training to protect cardholder data.
A QSA will need to subjectively assess whether the training provided to employees delivers the level of security awareness to enable the organisation to protect cardholder data against phishing attacks and other forms of social engineering.
Compliance in the cloud: are you ready?
In recognition of the fact that public cloud service giants are able to make significantly higher investments in securing their environments and maintaining leading edge technologies, the new wording of PCI DSS 4.0 also allows for adoption of cloud-based hosting services and introduces a new set of requirements for securing cloud and serverless workloads.
In the PCI DSS 4.0 document, it states that the scope of PCI DSS requirements applies to the card data environment (CDE), which comprises system components and the people and processes that transmit, process and store cardholder data or authentication data.
It states that “system components” include network devices, servers, computing devices, virtual components, cloud components, and software including, “Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Cloud infrastructure and components, both external and on premises, and including instantiations of containers or images, virtual private clouds, cloud-based identity and access management, CDEs residing on premises or in the cloud, service meshes with containerized applications, and container orchestration tools.”
It goes on to stipulate the segmentation and access control configurations required for merchants using cloud-based services, stating: “It is important that a multi-tenant service provider defines controls so that each customer can only access their own environment and CDE to prevent unauthorized access from one customer’s environment to another.”
To verify that the intent of the Standard is being met, QSAs must confirm during their audit that configuration is set up to ensure that each merchant organisation only has access to its own cloud-based CDE and cardholder data and that organisations cannot access other organisations’ cloud-based card data environments.
The countdown is on
When the new Standard was revealed at the end of March 2022, a Summary of Changes was also provided that confirmed the current version (3.2.1) will be retired in the first quarter of 2024.
This means the transition period starts now, providing two years to shift from the old to the new. By providing this timeline, it allows for organisations to focus on the required organisational changes necessary to achieve compliance, and budget accordingly. It is recommended that a comprehensive transition plan is created by compliance officers, which can be implemented once the new Standard is enforced.
Balancing compliance and experience
Cloud-based services became central to all of our lives during the pandemic, but, when contact centre staff started working from home, this moved the Point of Interaction outside of the trusted network. An international survey we conducted found that consumer concerns around card data security sharply increased during this period. However, adding layers of security can slow down transactions and frustrate consumers. We believe however that payment security can be achieved while also allowing consumers to seamlessly pay using their preferred method.
One of the most effective ways to comply with the intent of PCI DSS 4.0 – and protect your customers’ data – is to leverage the cloud to descope your infrastructure by not storing any payment card data within your organisation’s systems.
Our cloud-based solutions descope payments made over the phone, chat, email, social media, and messaging, to mitigate risks to payment data and maintain compliance with PCI DSS 4.0. Importantly, this is achieved without adding friction to the payment process, which would otherwise have the potential to impact customers’ experiences and risk transactions being abandoned.
As organisations plan their journey to PCI DSS 4.0 compliance, it’s heartening to see that the Standard has been updated to enable organisations to benefit from the enormous security investments made by public cloud providers, so that they can ultimately deliver enhanced security and convenience to their customers.