As we know, everyone “storing, processing, or transmitting cardholder data” must comply with security standards set by the Payment Card Industry Security Standards Council (PCI SSC). The standards are called Payment Card Industry Data Security Standards (PCI DSS) v3.2.1.
PCI DSS is a global standard for protecting card payment data. It establishes the criteria for technical and operational processes for businesses involved with payment data and payment processing.
PCI was designed to be an evolving standard. As new threat vectors have been identified, the standards have evolved to meet those threats.
PCI DSS v4.0 are the result of 3 years of collaboration with over 200 organizations. The goal was to create a set of security standards that remains applicable throughout a complex and ever-evolving payment security environment. Version 4.0 further clarifies the standards so there is less room for interpretation of how to apply each one.
But these changes go a step further than keeping up with new threats and creating more stringent requirements. The new standard expands to emphasize that security measures are a continuous process. In addition, they wanted to create more flexibility for organizations who might use varying methods to achieve the best security environment.
Here are a few of the major impacts to the standard:
One of the biggest changes for merchants surrounds ACH payments, or bank to bank transfers. As of April 2022, NACHA adopts PCI DSS as their standard for security for banking data security.
NACHA is the independent organization governing electronic bank transfers such as direct deposit and direct payments. Because they do not transfer card payment data, they have historically set their own standard for security in bank transfers.
With the upgrade to PCI DSS v4.0, NACHA has amended their security policy and procedures to adopt PCI rules for how businesses protect banking data, eff. June 30th, 2022. Before storing banking data, you only had to meet security requirements set by NACHA. Now, businesses have to protect that data according to PCI DSS v4.0 if they’re going to store any bank account and account holder data.
Businesses must also ensure that any 3rd party vendors/partners they use also meet the same requirements.
The PCI website offers an in-depth explanation of the new standards, as well as a PCI at-a-glance section, and a broad resource hub to help navigate the new standards.
Organizations have 18 months from the rollout of 4.0 to become compliant. The transition period from v3.2.1 will last for two years, until March 31, 2024. During that time both versions will run side by side. On March 31, PCI DSS v3.2.1 will be retired.
The good news is that meeting PCI DSS is easier than it seems for most merchants. Many of the requirements included in the standard are already considered Best Practice for security. The main goal for merchants is to reduce their PCI compliance scope. Goal: no credit card data moving across your own network or stored anywhere on your network.
This means moving as much processing off to a 3rd party that meets the requirements will reduce you, the merchants, scope. Outsourcing your payment processing does help to simplify your compliance obligations. The acquiring bank, processor, gateway provider, and other 3rd party vendors must also meet all the requirements for PCI DSS. Therefore, by partnering with them, you may already meet most of the DSS. As long as you make sure to partner with providers that do meet PCI Standards - don’t just assume.
But merchants must also monitor their own environments to meet the standards. Merchants must address their internal policies and procedures surrounding cardholder data and information as well.
Use P2P encryption devices that are PCI validated and compliant. There are P2PE devices that are non-validated, so be choosy. There are also numerous products and services to help merchants create a secure environment that follow security best practices and ultimately meet PCI Data Security Standards.
Implementing PCI DSS is a basic security strategy that’s part of a sound business plan. The business risks and costs of non-compliance can greatly outweigh the costs involved with implementing the proper security measures.
At MonerePay, security standards are top priority. Our PCI Level 1-certified gateway meets or exceeds the most stringent industry standards. If you’re interested in payment processing with a 100% secure and PCI compliant processor, call us today.