As early as March next year, merchants will be worried about meeting the new PCI (Payment Card Industry) security standards. If they fail to upgrade in one year, they could be penalized from $5,000 up to $100,000.
Payment Card Industry Security Standards Council develops Payment Card Industry Data Security Standards, which are used by the entire industry. Individual card brands develop their own compliance requirements, while the PCI SSC creates these standards. These requirements are adopted by the service providers and each card company has its own compliance program.
Firm that offers PCI-validated encryption technology and tokenization Bluefin A report released last month revealed that 94% commerce industry respondents had significant or very serious concerns about payment data security. Only 21% of respondents said that they were very confident about their ability to protect customers’ data, despite the fact that there are more and more reports of data breaches in the industry.
According to the report, 98% of respondents said their organization had experienced at least one breach in the last 24 months. 50% also admitted that they experienced a breach which significantly disrupted the business.
PCI DSS Version 4.0 Must be Adopted Urgently
The Commerce Industry must adopt the latest Payment Card Industry Data Security Standards 4.0 (PCI DSS) by the deadline of March. The new PCI DSS 4 standards call for a major security upgrade.
Payments stacks are evolving along with customer expectations. Brent Johnson is the CISO for Bluefin.
In this environment, it’s not a question of if a company will be breached. It’s a question of when. Businesses must ensure compliance to the new PCI DSS 4.0 as part a holistic approach in protecting customer data. “Our new report is a guide as organizations look to meet these requirements prior to the looming deadline of March 2025,” he stated when announcing the findings of the report.
Enterprise Readiness Information
Bluefin’s survey revealed key findings regarding enterprise readiness for PCI DSS requirements 4.0:
- 93% of respondents indicated that the required changes are significant. Some 64% would support an extension of the PCI DSS 4.x timeline if they were so concerned about meeting it.
- PCI 4.0 education is still low and the execution of PCI 4.0 remains unsatisfactory. Less than a third of payment data professionals (31%) have a good understanding of the requirements and nearly half (49%) say their organization has not yet begun implementing any of them.
- The new PCI standards are viewed positively by most enterprises despite their challenges. More than four in five (81%) respondents agreed or strongly agreed that the new rules were fair, necessary and for the benefit of industry and consumers.
Support Tempered by concerns
Despite the general optimism of survey respondents regarding PCI DSS Version 4.0’s benefits, there are also significant concerns about the changes. Meeting the new standards has been tempered by other operational concerns for many.
According to Bluefin’s VP of Marketing Nick Berents, respondents from large companies (5 000+ employees) see the new PCI requirements to be more costly, time-consuming, and resource-intensive than those in medium or smaller companies.
The E-Commerce Times reported that “the most significant takeaway” for him was how many businesses aren’t prepared to meet PCI DSS requirements 4.0 despite their concerns over payment security.
Berents was shocked by the number of businesses that were either behind schedule or not even trying to make the necessary changes.
“I am certain there has been progress from Q2 onwards as many companies appear to be more involved from what I see,” he said.
Compliance challenges: How to address them
Berents’ report revealed that businesses found it most difficult to comply with the new standards when they had to develop cybersecurity methods and perform targeted risk analyses. The report showed that IT and Security departments would be responsible for many of the compliance challenges.
Payment tokenization (P2PE), validated by PCI, is essential for meeting the PCI DSS 4.x requirements. It also protects sensitive customer payment data. Berents said that implementing P2PE could reduce a company’s PCI compliance by more than 70%.
Over half (51%) said that they would also rely primarily on third-party vendors in order to meet PCI DSS standards. He said that the best way for organizations to address payment security was to work with a trusted partner, and not feel that they had to shoulder that burden fully.
Many organizations are slow to adopt new technologies due to early concerns, lack of knowledge and mixed levels of comfort. During the survey many participants expressed concern about the required effort.
Berents stated that “those who are well-versed in the subject place a higher value on PCI-validated P2PE (36% is the number three ranking) than those who only have a weak or moderate understanding.”
Potential Penalties May Push Upgrade Plans
Berents noted that while there is no legal consequence for not meeting the deadlines, non-compliant organizations can be subject to serious fines.
The standards do not have a legal or regulatory mandate. They are instead self-governed by the Payment Card Industry Security Standards Council which is managed by global card networks. Visa, Mastercard as well as payment processors, services providers and others from the payments ecosystem are included in these governing bodies.
The fines that could be imposed for non-compliance will go a very long way to protect the data of customers. PCI compliance is also beneficial to merchants and consumers, as it reduces fraud.
Two Important Dates to Watch
The 12-month transition period is for the new security measures. The v3.2.1 system will be retired on March 31, 2024. v4.0 is the only version that will be active.
Berents stated that the transition period provides organizations with an opportunity to learn about the changes, plan for implementation and update requirements.
If you have specific questions regarding your implementation or compliance obligations, please contact your acquirer, payment brands, or trusted vendors for help.
Best practices that are listed in version 4.0 by March 31, 2020 will be required.
The PCI SSC website will publish both dates within the next few days. PCI Perspectives blog.
