The Payment Card Industry Data Security Standard (PCI-DSS) was first introduced in 2004 by the credit card giants American Express, MasterCard, Visa, and Discover. Since that time, the standard has undergone various updates and changes, all aimed at protecting payment card information and increasing security controls over confidential data. The most recent version of the PCI-DSS was released on March 31, 2022, and contains important new additions to the existing version of the cardholder data compliance mandate.
Over the years, there have been many instances where proper adherence to PCI-DSS could have easily helped avoid a lot of credit card breaches—the Equifax breach in 2017, being a good example.
Before we delve into how you can avoid similar situations and the notable changes in PCI-DSS 4.0, let's take a brief look at:
PCI-DSS is a set of standard security measures and protocols that must be adopted by any business that deals with payment card data. It is overseen by the PCI Security Standards Council, or PCI SSC, along with several other standards that work together to help protect the payment card user's confidential information. PCI-DSS focuses on fostering a secure environment for the payment card data to be stored, transmitted, or processed. The council enforces this through the 12 requirements grouped into the six goals of PCI-DSS.
Apart from addressing data security concerns, PCI-DSS is part of a system of controls that were put in place by credit card companies at a time when each company had separate systems to combat credit card fraud and breaches. Visa was one of the first companies to create a set of standards, and the others soon followed suit with individual policies. Each of the credit card companies had a separate set of protocols, which meant merchants had to follow several different compliance standards. As the number of fraud attempts and cases increased, this led to each of the credit card companies coming together to create a common set of security protocols.
Being PCI-DSS compliant doesn't just mean avoiding non-compliance fees, or that there are minimal controls in place to protect payment card data. It also means that organizations are following a set of standards that aim to solve and prevent common problems faced when accepting credit card payments.
Complying with a reputed security standard like PCI-DSS not only keeps confidential payment card data that merchants handle secure, it also ensures that best practices are followed that create an overall cybersecure environment for all information processed—financial or otherwise.
There are several consequences for not being compliant with PCI-DSS. You would think the worst one would be losing company revenue to non-compliance penalties, which can cost a pretty penny: up to a $500,000 penalty.
For small or medium-sized businesses, the fine can lead to damage to the organization's reputation, a loss of sales, perhaps even the closing down of operations and, ultimately, bankruptcy.
Bigger companies who've paid the non-compliance fines have also shelled out a fortune in legal fees.
While the fundamental controls and objectives remain the same, the fourth version, which seems to be aligned with the NIST framework, also focuses on the importance of identity and access management in securing payment card data. It asserts the importance of authentication protocols like MFA, to ensure cloud security and uses NIST password guidelines for the same.
The most significant aspect of the new version for businesses that handle payment card data, is customized implementation of alternative protocols. Companies initially had to go through a cumbersome and expensive process to come up with a viable alternative to the security controls put forth by PCI-DSS; it was called compensatory controls. PCI-DSS 4.0 introduces two ways to go while implementing the 12 controls: The Defined approach, which was followed previously, and the Customized Approach, which gives companies the freedom to come up with an alternative to the listed protocols, provided the organization has strong risk management processes in place.
Companies are divided into various levels based on the number of payment card transactions they process annually.
Level 1: Consists of organizations that process more than six million transactions
Level 2: Consists of organizations that process one to six million transactions
Level 3: Consists of organizations that process 20,000 to one million transactions
Level 4: Consists of organizations that process less than 20,000 transactions
Based on the level they belong to, each company is required to follow certain compliance protocols. Companies or merchants that fall under level 1 have to undergo an audit assessment by a Qualified Security Assessor (QSA), who will prepare a Report on Compliance (RoC). This is then sent to the company's acquiring bank, which then sends it to the concerned credit card company.
Those that fall under levels 2-4 can validate their PCI-DSS compliance by submitting a Self-Assessment Questionnaire (SAQ), or a RoC.
As mentioned earlier, there are 12 PCI-DSS requirements companies have to comply with including:
Apart from this, companies also have to generate audit reports of these requirements to complete the necessary assessments put forth by the mandate.
A SIEM solution like ManageEngine Log360 helps you keep track of your security applications through continuous log monitoring from data sources like firewalls, switches, routers, and through automatic compliance violation alerts that pop up immediately on your phone and email every time there is suspicious activity and audit changes to critical security settings. Log360 can also help you monitor and analyze privileged user and administrator accesses by generating dashboards based on their user behavior.
The best part of Log360 is its ready-to-use audit reports that can be generated from a few clicks. The audit reports help you stay on top of crucial compliance requirements without the hassle of compliance reporting.
To get started with PCI-DSS compliance with Log360, download a free trial or get in touch with our product experts for a customized demo of the product.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.