opinion

Unpacking the Payment Card Industry's Latest Data Security Standard

Unpacking the Payment Card Industry's Latest Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements and guidelines that apply to all businesses that accept credit card payments, and is designed to ensure the security of those transactions. Created in 2004 by Visa, Mastercard, Discover and American Express, the PCI DSS has evolved over the years to ensure that online sellers have the systems and processes in place to prevent data breaches.

The PCI DSS Version 4.0 officially became the new standard on April 1. Coming at a critical time when cyber threats are increasingly sophisticated, this update emphasizes the need for stronger safeguards to protect sensitive cardholder data.

One of the most notable updates is the increased focus on authorization mechanisms, encouraging the use of multifactor authentication and stronger password requirements.

PCI DSS 4.0 introduces several key changes and enhancements aimed at improving the overall security posture of companies that handle payment card data. One of the most notable updates is the increased focus on authorization mechanisms, encouraging the use of multifactor authentication and stronger password requirements.

Additionally, the new standard places a greater emphasis on monitoring and logging practices, ensuring that businesses have the necessary tools and processes in place to detect and respond promptly to security incidents.

PCI compliance can sometimes seem overwhelming to the average business owner, since achieving it requires educating yourself on a variety of security protocols and processes. Fortunately, with a bit of help, you can successfully navigate these waters and achieve compliance in no time.

Businesses can use various tools to achieve PCI compliance, but a well-structured compliance checklist is critical and makes the process much easier. Here are eight mandates that every merchant should be familiar with.

Firewall: Protect cardholder data with a firewall. Every device interacting with cardholder data must have a firewall installed, protecting your network from outside attacks. This will ensure all transactions happen safely. Buy and use only approved PIN entry devices at your POS. Buy and use only validated payment software at your POS or website shopping cart.

Passwords: Immediately change default passwords on hardware and software as soon as you receive them from vendors. That includes your wireless router. For strong and unique passwords, use password management software to generate a random password or use the “three random words” method.

Data Protection: Both physical and digital cardholder information must be strictly guarded. Physical access to cardholder information should be restricted and monitored. Remember to log out when leaving a terminal and add a timeout after a short period of inactivity is detected. Digital data must be protected using firewalls. 

Encryption: PCI-compliant encryption is essential. It prevents data and information from being stolen during the transfer between the issuing bank and acquiring bank, encrypting cardholder data that passes through open, public networks and confirming POS encrypts this data. Ensure peer-to-peer encryption. Make sure your wireless router uses encryption.

Antivirus Software: Install antivirus software, be sure to update it with the latest versions and regularly run a virus scan. Set up a monthly checklist/process where you download or patch your software, so you know you are up to date. Otherwise, new vulnerabilities will not be patched.

Secure Systems: Implement a security checklist that employees must follow to protect data and ensure the security of systems and applications. This checklist should address any vulnerabilities and keep all your software up to date, including firewalls, apps and POS. Test security processes and systems frequently to make sure they are still working and improve where needed. Regularly check PIN entry devices and PCs to ensure no one has installed rogue software or “skimming” devices.

Cardholder Data Access: To reduce the chance of a breach, minimize the number of employees who have access to cardholder data. Only those who need such access in order to perform their jobs should have it. 

Permission ID: Assign unique IDs to each employee or user with access to cardholder details and network resources. This enables you to track precisely who logs in and when. Consider surveillance for fraudulent activity.

Develop clear information security policies in order to implement the above guidelines, and to prove and track compliance. Policies and procedures should identify how standards are maintained so that auditors can verify your compliance. Teach your employees about security and your policies.

PCI DSS 4.0 represents a significant step forward in the fight against cybercrime, providing your business with a comprehensive framework to protect payment card data and maintain the trust of your new and existing customers. Whatever the size of your business, PCI compliance is a must.

Jonathan Corona has two decades of experience in the electronic payments processing industry. As chief operating officer of MobiusPay, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards mandated by the card associations, including, but not limited to, maintaining a working knowledge of BRAM guidelines and chargeback compliance rules defined in both Visa and Mastercard operating regulations.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More