PCI DSS is having a shake up this year with the release of PCI DSS v4.0 expected later in 2021. Final details are still to be announced but are expected to include requirements for more frequent testing and more rigorous authentication.
With these changes on the horizon, businesses might be wondering what they can do to prepare. Here we have some handy tips.
Why is a new standard needed?
The card payment landscape has changed dramatically since PCI DSS was launched by the major card providers back in 2006. Contactless payments, most recently via smartphone, as well as advancements in global internet speeds, open banking and cloud-based technologies has revolutionised the industry. While these developments have been great for both businesses and consumers, they have also opened the door to greater risks and vulnerabilities that cyber criminals are exploiting, finding weaknesses in interfacing systems to access personal and payment data.
PCI DSS v4.0 is the first major revision to the standards since 2013. It’s expected that the 12 core requirements will remain the same with updates to reflect changes in technologies and cyber threats. These include the following high level objectives:
- To ensure the standard continues to meet the security needs of the payments industry and the businesses that use it.
- To add flexibility and support that will enable the standard to be applied across the variety of payment methods now available.
- To promote and encourage businesses to see security and PCI DSS compliance as an ongoing process rather than a one-off tick box exercise.
- To enhance validation methods and procedures – enforcing encryption and authentication processes to card payments.
What can you do to prepare?
The good news is that the PCI SSC have stated that there will be an extended transition period for organisations to update their systems to PCI DSS v4.0. For 18 months post launch, both PCI DSS v3.2.1 and v4.0 will be active followed by a further period of time (yet to be confirmed) for phasing in new requirements.
However, while 18 months might seem long enough, we all know how time flies by, especially when juggling other roles and responsibilities. There’s no harm in getting a few things in place now to ensure the transition to the new framework is as smooth as it can be. Here are just a few ideas of how you can prepare:
Identify who will be responsible.
A multi-discipline approach including every level of the business from senior management through to IT, HR, sales and marketing, is essential for an effective roll out of revised PCI DSS policies and practices. Assigning responsibility to one person or team early on in the process to oversee the implementation will make this process a whole lot smoother, identifying where expertise and technology is needed and minimising the risk of critical tasks falling through gaps between departments.
What budget is available?
How much you need will depend on the state of your existing card payment processing systems and policies. Investing now to upgrade your systems – improving encryption and authentication and applying it across all payment channels – will better prepare your business for the transition to the new guidelines. At the very least you should be ensuring that budget is allocated to the roll out of updated processes further down the line.
Explore your options
Have you considered investing in an external card payment solution to manage payments? Outsourcing your payment processing to an outside provider descopes your business from PCI compliance, placing responsibility onto the provider instead, including updating to the new v4.0. Explore your options now and get ahead of the game.
At PCI Telecom we create card payment processing solutions that meet the needs of your business, whatever its size and budget. Our solutions are cloud-based so there’s no need for expensive equipment, and they can be used for all card-not-present payment channels including over the phone to a live agent, via auto IVR, online, email and webchat. Most importantly, our solutions are PCI DSS compliant, accredited to Level 1 standard and with end-to-end encryption, so you can rest in the knowledge that your payment process is always adhering to the guidelines, even when changes are made to them, and protecting the business and your customers from cyber attack and data breach. Find out more by visiting our Solutions page or get in touch with us here.