The latest evolution of the Payment Card Industry Data Security Standard - better known as PCI DSS - has recently been made available, making now a great time for businesses to focus more attention on PCI compliance.
Periodically updated to drive improvement, this latest version - PCI DSS v4.0 - won’t come into effect until March 2024, but it is one of the most transformative updates yet. This means that with a whole new set of technical and operational requirements
- 12 key requirements and over 300 sub-requirements to be exact - to remain PCI-compliant, continual effort is needed.
And it’s not just about remaining compliant. Any business processing any kind of card transaction should take the necessary steps to protect account data - for some, this means starting the journey to PCI compliance from scratch.
With goals including ‘continuing to meet the security needs of the payment industry’ and ‘adding flexibility for different methodologies’, the development of PCI DSS v4.0 has been led by feedback directly from the industry and exists for the good of the
industry. It is there to help businesses protect payment data and avoid the increasingly sophisticated cyber attacks we’ve seen of late.
That being said, for many, PCI compliance isn't quite at the level of priority it probably should be. However, business owners are all too aware of their responsibility and don't want to leave the door wide open to security breaches - which could affect
them both financially and puts those all-important customer relationships at real risk.
With trust hanging in the balance - according to Adobe’s 2022 Trust Report, a staggering 66% of customers
will stop buying if companies experience a data breach - now’s the time to ensure compliance.
It’s certainly worth considering whether your business’ customers would return if you were to experience a data breach. If your answer is no, but, like many businesses, you find PCI compliance a complex and time-consuming element of running a company, then
consider the following advice:
Look for Point-to-Point Encryption (P2PE) approved terminals to help secure your payments and mitigate fraudulent transactions. P2PE means cardholder data is captured and encrypted before it enters the computer network, keeping this information safe from
fraudsters, while drastically reducing the paperwork and potential costs associated with PCI compliance for retailers.
Alongside complying with current regulations, getting up to speed with PCI DSS 4.0 now is a great way to ensure you have the time to prepare for those new or expanded requirements. PCI DSS v3.2.1 will remain active for two years after v4.0 is published.
This provides organisations time to become familiar with the new version, and plan for and implement the changes needed. However, with 12 key requirements and over 300 sub-requirements in PCI DSS 4.0 there could be a lot to plan for. For example, if you’re
a retailer that does face-to-face payments, mail and telephone orders, and also payment transactions over the web, then you’ll have to apply PCI across all three channels – that’s 900 potential control questions.
Explore employing the help of an external partner to help make sure you are PCI-compliant. There are experts in this field available to help, and for most, avoiding the risk of penalties and reputational damage should far outweigh any upfront costs for external
The bottom line here is to give PCI compliance the attention it deserves. Be proactive and prepare accordingly, choose your payment providers and external support wisely, and remember that fraud doesn't discriminate by industry, employer, size or geography.