Future of Payment Card Compliance

Written By: Tiaira Fitzgerald & Mark Repka

April 14th, 2022

The growth of online sales, specifically from 2020 to 2021, showed an increase of 14.2% according to the U.S. Census Bureau. This effect can also be seen globally within the pre-and-post COVID 19 timeframes for 2020, with a 19% gain in online revenue as a result of online sales according to the International Trade Administration. The increase in these online sales is a driving force for merchants to adopt newer online retail methods which in turn, creates new security concerns not previously handled. This begs the question of the future of payment card compliance and what does it look like moving toward a more e-commerce-centric business model? How can companies continue to process consumer credit card data safely? We can see the development of new payment applications, merchant retail environments, and credit card processing systems to meet the new demand of the industry. Experts anticipate that online consumer demand will continue to rise, and in doing so, there will be an increased need for vigilance regarding the safety of customer credit card data and the security of transactions. Merchants accept credit card payments via merchant gateways, e-commerce systems, and point-of-sale systems. These systems may be homegrown, wholly outsourced, or some mix in between with the use of service providers. During a transaction, credit card data is accepted and may be stored in the cardholder data environment via databases or pending transactions within the system; this data may be in volatile memory or stored within static memory pending the approval of the transaction. The systems that transmit, process, or store cardholder data are subject to the Payment Card Industry Data Security Standard. PCI DSS is the current standard that keeps consumer data protected when merchants process and store their credit card data. The newest iteration of the standard, PCI DSS v4.0 (released 3/31/2022), is the most up-to-date version of the standard and contains the most current information for the safety and security of payment card data per the PCI DSS council. There are many resources within the PCI DSS Council Blog for additional information for securing your payment environment.

The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for the handling of branded credit cards by organizations. The Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is performed annually at a minimum, to validate companies on how transactions are handled to reduce unintended exposure of cardholder data. Visa Cardholder information, MasterCard’s Site Data Protection, American Express’s Data Security Operating Policy, JBS’s Data Security Program, and Discover’s Information Security and Compliance are the five different card brand-specific programs to create additional levels of protection above that of PCI DSS. The levels of protection through the PCI DSS are created to ensure merchants and service providers meet minimum levels of security when storing, processing, and transmitting cardholder data. In September of 2006, the five-card companies aligned their individual policies to create the PCI DSS standard and with it, the PCI DSS Council. The Council mandates the evolution and development of PCI DSS to current industry trends to align the minimum security standard of payment card merchants and service providers.

The future of Payment Card Compliance is ever-evolving when addressing the concerns of continuous monitoring, new technologies, different processing methods, and incorporating service providers to reduce risk. The issue of point-in-time auditing is, how can companies stay compliant with the processing of data throughout the year while maintaining the requirements of PCI DSS and being held accountable? PCI DSS is more than maintaining a risk registry, but is a series of requirements that are regulations for the maintenance, change management, and continuous monitoring of the environment. Companies running a risk management program need to identify all known risks and record/describe them in a risk register which may not entail daily operational challenges. The risk management program developed should analyze all identified risks with remediation or acceptance as an ultimate goal.

The new PCI DSS version 4.0 includes updated firewall terminology definitions, network security controls, the expansion of requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment, increased flexibility for organizations to demonstrate how using different methods achieve security objectives of the standard, and targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities that best suit their business needs and risk exposure. PCI DSS v4.0 also adds further support for developing technologies, such as Fargate containers, Kubernetes, virtual devices, and services. Defining requirements as intent statements to the cloud or hybrid environments is one of the methods of addressing different emergent technologies to support the cardholder data production environment and its applicability to the standard. The PCI DSS Council’s release of version 4.0 is addressing evolving payment environments, technologies, and methodologies for achieving and maintaining security. The approach is to clearly identify security outcomes by linking each requirement to a security outcome and customizing implementations that are required to be met.

The current version of PCI DSS v3.2.1 will remain active for two years until it is retired in Quarter One of 2024. The adoption of PCI DSS 4.0 future-dated requirements will be mandated in Quarter One of 2025. Technology is evolving every day and PCI DSS requirements need to be kept up to date for the ever-changing landscape of payment security. It took over three years for more than 200 organizations to give thousands of items of feedback to formulate v4.0. This laborious process was instrumental in formulating the new standards and creating the new criterion for the credit card industry to follow moving forward.

Ready to simplify your next compliance assessment? Our bundled compliance solution takes a streamlined approach both on and off-site to get your business ready for its next assessment and keep you compliant all year round. Our expert QSAs know how to effectively implement the processes your organization needs to protect cardholder data and keep sensitive information secure. Reach out to the MegaplanIT team today to start building an effective compliance program for your organization.