To address the ever-evolving risks to the credit card payment ecosystem, the Payment Card Industry Security Standards Council has been preparing the next major update to the PCI DSS standard. The PCI DSS framework is 15-years old, and a lot has happened in the payments industry since the first standard. PCI DSS v.4.0 addresses the most recent changes, such as payments by Near Field Communications (NFC, such as Apple Pay) and improving risk assessment processes.
Last year, the council published a draft version of the new standard for comments from merchants and service providers. As the input was accepted and the framework evolved, we’re getting closer to knowing what the final standard will include. Some of the most important updates will consist of:
- Authentication – more alignment with industry best practices.
- CHD Protection – transmission of CHD must be encrypted on private networks.
- Security Awareness – added requirements for end-user training
- Scoping – increased testing, documentation, and periodic validation
- Risk Assessment – modifications to prevent “checkbox exercises” by companies
- Sampling – verifying that controls are in place
- Cloud – accommodating of cloud hosting services.
You can find a more detailed analysis of the main points on the LBMC website.
History
Every merchant that accepts credit card payments from their customers must comply with the current Payment Card Industry Data Security Standards (PCI DSS). The standards define security management policies, procedures, network architecture, software design, and other critical controls for protecting cardholder data (CHD). Failure to comply exposes organizations to data breaches, hefty fines & fees, and even loss of business.
The Payment Card Institute formed in 2004, but the origins of today’s payment security standards date back to the mid-1990s. During that time, online e-commerce was on the rise, as well as increasing sophistication of fraudsters seeking to exploit merchant and banking systems. In response, VISA announced its Cardholder Information Security Program (CISP) in 1999 and implemented in 2001. American Express, Mastercard, and Discover quickly created their unique security standards, requiring merchants to adopt multiple security compliance programs.
PCI-DSS was first introduced in 2004 as a unifying standard to eliminate the confusion of compliance with multiple security standards. Version 1.1 was adopted in 2006 with the adoption of the PCI Security Standards Council, an independent group overseeing the future evolution of the standards.
Several versions were released over the years to ensure the adoption of industry best practices in response to the ever-changing security landscape. The current version, 3.2.1, was released in May of 2018, with new requirements for multi-factor authentication and secure communications.
Secure IVR Payments
IVR Technology Group helps businesses mitigate PCI risk when accepting payments by phone or text with our Compass Payments Suite. Visit the link, or contact sales to learn more.