Now that the Payment Card Industry Data Security Standard 4.0 has gone into effect, merchants have a year to conform to the 63 new or updated requirements. With many moving parts to the standard, some businesses may struggle to understand their compliance obligations. Simultaneously, they also don’t want to risk creating friction in the customer experience as they introduce the new security measures.
In a recent PaymentsJournal podcast, Sukanya Madhavan, Payments Chief Product and Technology Officer, at CSG Forte and Don Apgar, Director of Merchants Payment Practice for Javelin Strategy & Research, discussed the new rules. They examined the implications of the change and mapped out steps business owners can take to ease the shift to the new standard.
Evergreen and Ongoing
One of the main things to know about PCI compliance is that it’s an evergreen and ongoing process. The purpose of the compliance program is to build a safety net for consumers to make sure they’re protected against bad actors. It also streamlines merchants’ card payments operations.
“The program is designed to ensure that customers have peace of mind when they provide their data to us,” Madhavan said. “It should be considered a continuous improvement process, where businesses look for innovative ways to solve the evolving challenges.”
In response to ongoing data breaches, the PCI standard mandates that merchants conduct quarterly internal and external vulnerability scans. Due to the sophisticated technology involved, it’s critical to have an individual who is well-versed in the systems to review these scans.
If merchants need help, quality security assessors (QSAs) and payments processors can give guidance. Often, the issues turn out to be basic security vulnerabilities involving passwords, such as password sharing or passwords that aren’t strong enough. There is help, however, if the issue is more complex.
“Merchants should know they can reach out to their processors, and there is a whole network of support,” Madhavan said. “It’s a partnership between the processor and the merchant to ensure that they are jointly taking care of the consumers’ data. Some processors have gone so far as to create instructional webinars, and there’s even a hotline.”
Not a Burden
Maintaining PCI compliance isn’t just about protecting customers. It’s also about safeguarding businesses. When there’s a substantial PCI violation or a significant data breach, it’s often newsworthy. But it’s not the kind of publicity businesses want.
“With the sheer volume of data and the high profile of many companies, it’s a reputational risk,” Madhavan said. “The consumer data that companies store is there to fuel business growth, and it’s a critical part of doing business. [The costs of switching brands] have decreased so much these days that you must ensure your customers trust you to take care of their data.”
“Many merchants view the PCI compliance requirement as a burden,” Apgar said. “They’re just looking to check a box. They don’t understand that this is a great opportunity for them to take a step back and review where data is being stored, what its uses are, and what rules govern it. PCI is not there to be burdensome to businesses. Keeping cardholder data secure should be viewed as a benefit.”
The Timeline to 4.0
Merchants that take card payments can already start the switch to DSS 4.0, but there’s still a one-year period before all companies must be compliant. Although some of the new requirements are process enhancements, others are technology-driven. For example, multifactor authentication and passwords with a minimum of 12 characters are now required.
Depending on the business, that switch could take time and affect customers.
As Apgar noted, “Merchants are hesitant to implement some of these things because they don’t want their customer experience to have more friction than their competitors. But if they’re able to introduce new security capabilities, even if the authentication requirements may be more cumbersome, the benefits will offset the drawbacks.”
One of those benefits is added protection from fraud. The advent of newer technology, including generative artificial intelligence, brings a new set of challenges as well.
“It can be a lot for merchants to consume,” Madhavan said. “Should I focus on running my business? Should I focus more on the technology and the security side? It’s important for us as solution providers to make it easier for businesses to operate because they have all these other tasks to perform. We need to support them so they can focus on the core business.”
No Magic Bullet
Security practices are continually evolving to combat new threats. That means companies should be prepared to evolve with those practices, even after they reach compliance with PCI DSS 4.0.
“There’s no magic bullet when it comes to the security side of it,” Madhavan said. “And it takes a village. It takes all of us working together to make sure that the systems are secure. If you don’t know what works for you, there are providers and approved QSAs who can help you. You can also take ownership by continuing to review security best practices and conducting vulnerability scans.”
Another key takeaway is that even though there’s a grace period, merchants should start to work on their gaps to comply with DSS 4.0 as soon as possible. A requirement for more secure passwords, for instance, works only if all of a company’s customers have updated their passwords.
“All these things have to be mapped out; otherwise, you risk a really poor customer experience,” Apgar said. “A year may sound like a long time, but when you start to map out the items that need to be completed and all the moving parts, it’s not so long, after all.”
Learn 3 quick tips to keep your payments data secure in CSG Forte’s white paper.