Future of Payment Card Compliance
Written By: Tiaira Fitzgerald & Mark Repka
April 14th, 2022
The growth of online sales, specifically from 2020 to 2021, showed an increase of 14.2% according to the U.S. Census Bureau. This effect can also be seen globally within the pre-and-post COVID 19 timeframes for 2020, with a 19% gain in online revenue as a result of online sales according to the International Trade Administration. The increase in these online sales is a driving force for merchants to adopt newer online retail methods which in turn, creates new security concerns not previously handled. This begs the question of the future of payment card compliance and what does it look like moving toward a more e-commerce-centric business model? How can companies continue to process consumer credit card data safely? We can see the development of new payment applications, merchant retail environments, and credit card processing systems to meet the new demand of the industry. Experts anticipate that online consumer demand will continue to rise, and in doing so, there will be an increased need for vigilance regarding the safety of customer credit card data and the security of transactions. Merchants accept credit card payments via merchant gateways, e-commerce systems, and point-of-sale systems. These systems may be homegrown, wholly outsourced, or some mix in between with the use of service providers. During a transaction, credit card data is accepted and may be stored in the cardholder data environment via databases or pending transactions within the system; this data may be in volatile memory or stored within static memory pending the approval of the transaction. The systems that transmit, process, or store cardholder data are subject to the Payment Card Industry Data Security Standard. PCI DSS is the current standard that keeps consumer data protected when merchants process and store their credit card data. The newest iteration of the standard, PCI DSS v4.0 (released 3/31/2022), is the most up-to-date version of the standard and contains the most current information for the safety and security of payment card data per the PCI DSS council. There are many resources within the PCI DSS Council Blog for additional information for securing your payment environment.
The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for the handling of branded credit cards by organizations. The Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is performed annually at a minimum, to validate companies on how transactions are handled to reduce unintended exposure of cardholder data. Visa Cardholder information, MasterCard’s Site Data Protection, American Express’s Data Security Operating Policy, JBS’s Data Security Program, and Discover’s Information Security and Compliance are the five different card brand-specific programs to create additional levels of protection above that of PCI DSS. The levels of protection through the PCI DSS are created to ensure merchants and service providers meet minimum levels of security when storing, processing, and transmitting cardholder data. In September of 2006, the five-card companies aligned their individual policies to create the PCI DSS standard and with it, the PCI DSS Council. The Council mandates the evolution and development of PCI DSS to current industry trends to align the minimum security standard of payment card merchants and service providers.
The future of Payment Card Compliance is ever-evolving when addressing the concerns of continuous monitoring, new technologies, different processing methods, and incorporating service providers to reduce risk. The issue of point-in-time auditing is, how can companies stay compliant with the processing of data throughout the year while maintaining the requirements of PCI DSS and being held accountable? PCI DSS is more than maintaining a risk registry, but is a series of requirements that are regulations for the maintenance, change management, and continuous monitoring of the environment. Companies running a risk management program need to identify all known risks and record/describe them in a risk register which may not entail daily operational challenges. The risk management program developed should analyze all identified risks with remediation or acceptance as an ultimate goal.
The new PCI DSS version 4.0 includes updated firewall terminology definitions, network security controls, the expansion of requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment, increased flexibility for organizations to demonstrate how using different methods achieve security objectives of the standard, and targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities that best suit their business needs and risk exposure. PCI DSS v4.0 also adds further support for developing technologies, such as Fargate containers, Kubernetes, virtual devices, and services. Defining requirements as intent statements to the cloud or hybrid environments is one of the methods of addressing different emergent technologies to support the cardholder data production environment and its applicability to the standard. The PCI DSS Council’s release of version 4.0 is addressing evolving payment environments, technologies, and methodologies for achieving and maintaining security. The approach is to clearly identify security outcomes by linking each requirement to a security outcome and customizing implementations that are required to be met.
The current version of PCI DSS v3.2.1 will remain active for two years until it is retired in Quarter One of 2024. The adoption of PCI DSS 4.0 future-dated requirements will be mandated in Quarter One of 2025. Technology is evolving every day and PCI DSS requirements need to be kept up to date for the ever-changing landscape of payment security. It took over three years for more than 200 organizations to give thousands of items of feedback to formulate v4.0. This laborious process was instrumental in formulating the new standards and creating the new criterion for the credit card industry to follow moving forward.
Ready to simplify your next compliance assessment? Our bundled compliance solution takes a streamlined approach both on and off-site to get your business ready for its next assessment and keep you compliant all year round. Our expert QSAs know how to effectively implement the processes your organization needs to protect cardholder data and keep sensitive information secure. Reach out to the MegaplanIT team today to start building an effective compliance program for your organization.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business