Let's start with the biggie, what is PCI DSS 4.0, what are we talking about, and who needs to worry about this? Payment Card Industry Data Security Standard (PCI DSS), is a set of data security standards that help keep credit and debit card information safe. These standards are important for any company that stores, processes, or transmits cardholder data.
Types of businesses that could be impacted by these changes are:
Retailers: Both online and brick-and-mortar stores that accept credit card payments need to comply with PCI DSS 4.0 to ensure the security of cardholder data.
E-commerce Businesses: Online merchants, irrespective of their size, who accept, process, or store credit card information must comply with PCI DSS 4.0.
Service Providers: Companies that provide services to merchants, such as payment gateways, web hosting providers, or managed service providers, and handle cardholder data on behalf of others, are required to be PCI DSS 4.0 compliant.
Financial Institutions: Banks, credit unions, and other financial institutions that process credit card transactions must adhere to PCI DSS 4.0 requirements.
Payment Processors: Companies that process credit card transactions on behalf of merchants are subject to PCI DSS 4.0.
Hospitality and Travel Businesses: Hotels, airlines, and travel agencies that process credit card transactions need to comply with PCI DSS 4.0 to protect customer payment information.
Healthcare Providers: Healthcare organizations that accept credit card payments for services or products need to be PCI DSS 4.0 compliant.
Restaurants: Establishments that take credit card payments, whether in-person, online, or over the phone, must adhere to PCI DSS 4.0.
Educational Institutions: Universities, colleges, and schools that accept credit or debit card payments need to comply with PCI DSS 4.0.
Call Centers: Businesses that handle credit card information over the phone must also ensure PCI DSS 4.0 compliance.
A broad overview of the changes for 2024
If you are in charge of compliance for an entity like the ones listed above, then the next question is, "what's changing?"
Well, good question reader. Here's some broad strokes of the changes being made this year:
Enhanced Authentication Protocols:
Stronger emphasis on Multifactor Authentication (MFA) across all access points to cardholder data.
Specific requirements for different types of authentication methods.
Advanced Encryption Standards:
End-to-end encryption requirements for payment processing.
Guidelines for implementing encryption within various transaction environments.
Inclusion of Mobile and Contactless Payments:
Updated standards for securing mobile payment applications.
Specific protocols for contactless transaction security.
Guidelines for Emerging Technologies:Incorporation of security measures for emerging payment technologies like tokenization.
Consideration for evolving technologies and their impact on payment security.
Expanded Scope of Compliance:Broader definitions of what constitutes a payment environment, reflecting diverse payment methods.
Clarification on the roles and responsibilities of different stakeholders in the payment chain.
Risk Assessment and Management:Enhanced requirements for regular risk assessments.
Emphasis on proactive risk management strategies.
Vendor and Third-Party Management:Stricter controls and monitoring of third-party service providers handling cardholder data.
Requirements for continuous compliance verification of third-party vendors.
Incident Response and Recovery:Updated protocols for incident response in case of a data breach.
Guidelines for data recovery and continuity planning.
This is a complicated pile of stuff to worry about, so if you don't entirely follow, that's fair. I've been working in this field for a long time, and some of this can definitely be confusing.
But there's hope yet! Keep in mind, that if you're using an e-commerce web platform like Shopify or Carta, they're likely handling much of this for you. They're handling all the of the transactions, card capture, etc. The same would be true if you're a retailer using cloud based POS. Of course you'll want to verify any of these questions with your POS/e-Comm providers.
But what do these changes mean for you?
Let's pretend for a moment, that your organization is doing the bare minimum for security standards, and was PCI compliant in 2023. The biggest things to worry about in 2024:
Multifactor Authentication (MFA):
- If you were previously using single-factor authentication, you'll need to implement MFA. This applies to all users accessing systems with cardholder data. This will help to keep accounts from being hacked. Tools like Duo can be very helpful for this.
- This is part of what we in the tech industry call a "Zero Trust" approach to security.
- Upgrade to robust end-to-end encryption standards for all data transmissions within the cardholder data environment.
- End-to-end encryption is mostly handled by the actual credit card interfaces, so usually this would be most important to a payment merchant, POS provider, e-commerce provider. The type of company that actually handles the transaction.
Mobile and Contactless Payment Security:
- Implement updated security protocols for mobile and contactless transactions, which might involve software upgrades or changes in hardware.
- Important for retailers, because some of these additions can mean updating hardware such as card readers and POS terminals. This can be expensive, so if you're a retailer/restaurant/merchant that takes card payments, it's important to check and make sure you're up to date.
Compliance with Emerging Technology Standards:
- Integrate security controls for any new payment technologies (like tokenization) that your organization may adopt.
Enhanced Risk Assessment Procedures:
- Develop or enhance your risk assessment procedures to be more frequent and comprehensive, as per the new guidelines.
Vendor and Third-Party Management:
- Review and possibly update agreements with third-party vendors to ensure they are compliant with the 2024 standards.
- Implement continuous monitoring and verification processes for third-party compliance.
Incident Response and Recovery Plans:
- Update your incident response plan to align with the latest requirements.
- Ensure your data recovery and business continuity plans are robust and tested regularly.
- Make sure you actually have an incident response plan! Not just an online monitoring tool that watches for problems. By the time the tool finds a problem, there's most often a lot more work to do to fix it.
Training and Awareness Programs:
- Update training programs for staff to include information on the new standards and security best practices.
Documentation and Policy Updates:
Revise internal policies and documentation to reflect the changes in compliance requirements.
Let's take a little more detailed look...
The 2024 PCI DSS 4.0 updates usher in a new era of security protocols and compliance requirements, setting a higher benchmark for data protection. A major change is the mandatory implementation of Multifactor Authentication (MFA) across all access points to cardholder data, a step up from the previous standards which allowed for simpler forms of authentication.
Additionally, there's a shift towards more stringent end-to-end encryption across the entire payment processing chain. Compliance now also extends to newer payment methods, including mobile and contactless transactions, which were previously not as rigorously covered. These changes require businesses to adopt advanced security technologies and revise their existing data protection strategies.
For small and medium-sized businesses (SMBs), these changes may initially seem daunting due to potential resource constraints. Implementing MFA and upgrading encryption standards might require significant investment in new technologies and training. However, these upgrades are essential not only for compliance but for building customer trust and safeguarding against breaches. For enterprise-level clients, the challenge lies in scaling these security measures across a vast and complex organization. Large enterprises will need to conduct thorough assessments of their current systems, possibly leading to extensive overhauls in their security infrastructure. Both SMBs and enterprises will benefit in the long run through enhanced security, reduced risk of data breaches, and strengthened customer confidence.
Let's pretend you're a retail SMB that previously relied on basic password protection for its payment systems. Under the 2024 standards, this business will need to integrate MFA, ensuring that access to payment systems requires additional verification beyond just a password, such as a fingerprint or a mobile prompt.
Pretending instead that we're a large healthcare provider, an enterprise-level client, the requirement for end-to-end encryption means reviewing and potentially upgrading their entire network of payment processing - from patient portals to in-hospital payment systems. This might involve integrating new software solutions and hardware upgrades to ensure that every point in the payment process is securely encrypted. These examples highlight the practical steps businesses will need to take to align with the 2024 PCI DSS 4.0 standards.
What's the risk of non-compliance?
Perhaps a smaller business might be on the fence, thinking, "What we have is safe enough, what's the downside to complying with PCI DSS 4.0?
Fines from Payment Card Brands: Businesses can face significant fines from payment card brands (like Visa, MasterCard, American Express, etc.). These fines can range from a few thousand to potentially millions of dollars, depending on the level of non-compliance and the volume of transactions.
Increased Transaction Fees: Non-compliant businesses may also be subjected to higher transaction fees by payment processors, which can significantly impact operational costs.
Reputational Damage: One of the most significant impacts of non-compliance is reputational damage. A breach resulting from non-compliance can lead to loss of customer trust, negative publicity, and long-term brand damage.
Legal Actions: In the event of a data breach due to non-compliance, businesses may face legal actions, including lawsuits from affected customers or other parties.
Loss of Credit Card Privileges: In severe cases of non-compliance, businesses can lose the ability to process credit card payments, which can be devastating, especially for e-commerce and retail businesses.
Remediation Costs: Non-compliant businesses may incur high costs in addressing the gaps in their security post-identification, including technology upgrades.
Long story short, these penalties can be very expensive. And as we talk about often on this site, the data hackers are looking every day for the least secure systems they can find to exploit. Just because you haven't been hacked, doesn't mean it isn't going to happen. By being in compliance, you'll be not only better protected against a breach, but better prepared to handle a breach if and when it does happen.
So where does Cyber Advisors fit in?
Cyber Advisors has been strengthened by our new acquisition of White Oak Security. We now have the infrastructure for not only consulting and compliance help, but to test the resilience of your systems.
Cyber Advisors is well positioned to help with a suite of security tools, experts, and advice, to make sure that your company is in compliance. And with the White Oak Security piece, we can do offensive testing to make sure the defensive structure in place is robust enough to take on challenges.
How prepared is your organization to move to PCI DSS 4.0? If you have questions, it costs nothing to sit down and talk with one of our experts. Let us know if we can help!