.svg)
A new global standard for payment brands known as PCI DSS v4 came into force last week, putting firms at risk of fines or the termination of agreements with leading payment brands and merchant acquirers if they fail to comply with it.
The PCI Security Standards Council (PCI SSC), which groups many of the world’s leading payment brands, issued version 4.0 of the PCI Data Security Standard (PCI DSS) on March 31, 2022. It came into force on April 1 this year.
Regulators do not insist on compliance with this standard, except for the US state of Nevada, but it is implemented by payment card brands and acquiring bank partners. Demonstrating compliance will therefore be necessary to operate in the global payments ecosystem.
PCI SSC includes an executive committee of six major payment brands: American Express; Discover Financial Services; JCB International; Mastercard; Visa; and UnionPay.
The new standard "covers both sides of the ecosystem, including merchants in-store, online and service providers”, said Ian Terry, director of cybersecurity services at compliance consultancy IS Partners. “Both these are impacted and all their activities associated with PCI need to be on this standard.”
This includes all levels of compliance, he said. “There are different levels established by the payment brands that essentially say ‘hey, if you're doing this many transactions, you're at a certain level and you need to do certain things to show that you're complying’.”
“Level 1 may be 6-7m transactions and this requires the use and involvement of a qualified security assessor,” he said. “This impacts all of those levels, and there is also self-assessment at other levels."
Complex compliance
The latest overhaul is both complicated and technical, including to those involved.
“For firms who have not yet achieved PCI DSS v4, and have not yet mobilised to achieve it, this should be prioritised now,” said Nick Delacamp, regional president of payment security company A24.
Delacamp said the previous standard was retired on March 31, 2024, noting that any organisation being assessed for compliance after that date will need to meet the new standard. Although 51 of the new requirements are considered to be “best practice” rather than a necessity, they will become compulsory on March 31, 2025.
If an organisation achieved certification for compliance with the previous standard in the year prior to March 31, 2024, then they now have until the 12-month anniversary of their certificate to achieve compliance with v4.
“Any organisation that processes or transmits payment cardholder data, typically credit and debit cards carrying the Visa, Mastercard, American Express, Discover and JCB logos, is contractually required to comply with the PCI-DSS standards,” said Delacamp, adding that responsibility for compliance sits with senior managers in a number of different departments, including risk management, compliance, product management and IT infrastructure.
According to David Homoney, technical solutions architect at World Wide Technology, there are a plethora of changes between the outgoing v3.2.1 standard and the now in force v4.
“The real sea change with PCI DSS v4 is its focus on application security at the code level,” he explained. “Outgoing standards allowed something like a web application firewall to remediate the need for deeper security at the code level. This change of focus to one of shift left security is foundational to understanding the changes within PCI DSS v4.”
The Oklahoma-based consultant said that a lack of understanding of how to tackle the changes has been one of the biggest issues for those implementing the latest standard. “There definitely needs to be more awareness and more drive to ensure compliance is maintained.”
“For example, almost no one I’ve talked to on the subject has noticed the requirement for yearly training on secure coding practices and on the tools used to defend the applications as well,” he said.
Delacamp meanwhile said that there are a number of opportunities for better preparing to achieve compliance with the new v4 standards.
"People need to understand what has changed. There are 57 entirely new requirements to address," he said. "The change between v3.2.1 and v4 is significant and embraces new aspects of protection, including a focus on newer technologies such as cloud computing, virtualisation and mobile payments."
Further, it brings enhanced authentication and authorisation requirements, enhanced monitoring and threat detection approaches, and a focus on vendor and supply chain security.
There is also the opportunity to minimise what needs to be assessed. "The new standard takes a more flexible approach to ensure that the scope of assessment is appropriate to the situation."
"Some simple changes may enable large parts of an operation to be taken out of scope of an assessment which simplifies and speeds up the process, but the customised elements require more planning and more input from the firm."
Further, he said that industry players need to allow time to prepare for and respond to the assessment process. "Compliance is usually a team achievement involving resources from across the business working together. While there are many technical elements, people and processes are equally critical to a successful outcome."
Consequences of non-compliance
There are a number of potential consequences of non-compliance, including fines and penalties issued by operators such as Visa, Mastercard and American Express, which can range between £3,000 and £160,000 per month until the non-compliance is addressed.
Increased transaction fees can also be imposed by the payment card brands to cover the costs associated with non-compliant processing and, in some instances, a merchant could find themselves banned from accepting cards to process payments.
“In addition, if there is a breach of cardholder data, then an organisation can be required to pay the costs for the damages of the lost credit card numbers,” said Delacamp. Moreover, “non-compliance can lead to loss of customer trust, reputational damage, lost business opportunities and legal consequences”.
Jake Eliasz, cybersecurity advisor at Cipherlex, said that non-compliance sets off a chain reaction.
“There is a contract in place between a merchant and an acquirer, known as the merchant agreement,” he said. In this agreement, the merchant agrees to comply with PCI DSS and to present the evidence of PCI DSS compliance to its acquirer on an annual basis.
“The acquirer holds every right to penalise the merchant financially for non-compliance, either by increasing the transaction cost or by enforcing a fixed monthly penalty fine,” said Eliasz. In addition, the acquirer has an obligation to monitor and report PCI DSS compliance for all of its merchants to the payment brands such as Visa, Mastercard or AMEX.
Homoney said that ultimately the opportunity with the new standard is for the payment cards industry to drive the change, “so desperately needed”, to view application security holistically.
“For far too long development and security operations teams haven’t talked,” he said. “Both are doing things to secure the application but not in a unified and coherent manner. PCI DSS v4 is driving this change and it will lead to more secure applications and less loss of sensitive data.”
