Major PCI Compliance Update Demands Immediate Action
The latest update to the Payment Card Industry Data Security Standard (PCI DSS) is the first since 2018. That’s an eternity in the world of industry regulations and the technology required to satisfy those regulations. As a result, it should be no surprise that the new standard, PCI DSS 4.0, brings major changes. Any organization that handles cardholder data should be reviewing it now so they can start the process of becoming compliant.
While there are far too many updates to include in a single article, the PCI Security Standards Council breaks down PCI DSS 4.0 updates into four broad categories.
1) Continue to Meet the Security Needs of the Payments Industry.
The idea here is that security practices must adapt to evolving threats. Updates include expanded multifactor authentication requirements, new password requirements, and new requirements to address email phishing attacks and threats to e-commerce platforms.
2) Promote Security as a Continuous Process.
This is part of an ongoing effort by industry regulators to make compliance a shared, day-to-day responsibility instead of an annual audit managed by the IT and compliance departments. Updates include assigning roles and responsibilities for various requirements, additional guidance to ensure optimal implementation and maintenance, and a new reporting option to identify opportunities for improvement and increase transparency.
3) Increase Flexibility for Organizations Using Different Methods to Achieve Security Objectives.
Meeting new compliance requirements can be an extremely heavy lift. PCI DSS 4.0 seeks to lighten the load by allowing organizations more options to meet the requirements of the new standard and implement new technology solutions. Updates include targeted risk analyses that allow flexibility in setting the frequency for various compliance-related activities, and the ability to develop a customized approach for implementing and validating PCI requirements and achieving its objectives.
The new PCI DSS 4.0 update brings major changes.
4) Enhance Validation Methods and Procedures.
Clarity in validation and reporting supports greater transparency and the ability to provide more granular data. PCI DSS 4.0 seeks to build alignment between compliance reports or self-assessment questionnaires and demonstration of compliance.
The Risks of Procrastination
Many of the updates outlined in PCI DSS 4.0 are best practices until March 31, 2025. However, recent history shows the vast majority of companies are already struggling to meet existing compliance requirements.
The Verizon 2020 Payment Security Report found that just 27.9 percent of organizations were fully compliant in 2019. This is a drop of 8.8 points from 2018, which shows that compliance performance is getting worse as cybercriminals continue to target payment data through web applications and point-of-sale devices.
Meanwhile, penalties for noncompliance are severe and increase over time if organizations fail to achieve compliance. Penalties are as follows:
- One to three months: $5,000-$10,000 per month
- Four to six months: $25,000-$50,000 per month
- Seven months or more: $50,000-$100,000 per month
The Path Forward
There’s a natural tendency to focus on business needs that are perceived to be more urgent than requirements that, technically, don’t go into effect for three years. However, organizations should start taking steps immediately to understand new requirements and make any necessary changes. They should also develop a long-term strategy for achieving and maintaining compliance rather than implementing a series of unsustainable quick fixes.
From a technology standpoint, organizations should assess the state of their existing security infrastructure and evaluate solutions such as next-generation firewalls, intrusion prevention systems, anti-malware, advanced encryption systems, multifactor authentication and offsite backups.
Organizations should view PCI DSS 4.0 compliance as an opportunity to improve their security posture. By following the requirements, organizations can keep payment card data and reduce the risk of a costly security breach.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.
Contact Managed Services Provider, Global Data Systems >