New PCI DSS requirements for payment card processors in effect from 1 April

Changes to the standard reflect the continued evolution of payment technologies globally and a shift in the underlying security landscape, an expert has said.

The fourth version of the standard will come into effect on 1 April, impacting all companies that handle cardholder data. The update (360 pages / 4.5 MB) introduces 64 new requirements for organisations to comply with, if applicable to their environments. PCI DSS 4.0 also introduces a ‘customised approach’ to compliance offering entities some flexibility to select controls that they deem more suitable for their environments, in contract to previous iterations of the standard which required strict adherence.

The PCI Security Standards Council, a global forum that brings together leading payment card providers, have enlisted the help of technical advisors from entities including IBM and Amazon to uplift the standard to address modern threats to payment security in light of ever evolving threats and innovations in how payments are processed. Many of the evolving requirements address the increased use of cloud services, software-as-a-service (SaaS) solutions and co-located data centres.

Ben Gibbins, a cyber security professional at Pinsent Masons specialising in the financial services industry, said that the update “raises the bar for cyber security controls in the payment cards industry by mandating existing best practices around user authentication and data encryption”.

“Organisations and cardholders alike should welcome the new standard, as meeting its requirements will prevent data breaches in the future and increase trust in our payments systems,” he said.

Of the 64 requirements, 13 will come into effect immediately on 1 April. The remainder should be viewed as ‘best practices’ until 31 March 2025, when they will also become mandatory.

The PCI DSS incorporate four compliance levels based on the volume of card transactions an organisation handles each year. Providers should fill out a self-assessment questionnaire developed by the PCI Security Standards Council to determine the level of compliance that applies to them.

For level one compliance, the highest level, an annual report of compliance must be produced by a qualified security assessor. Businesses to which lower compliance levels are applicable can complete a self-assessment and use this as evidence of compliance. There are also other requirements for all levels, such as regular vulnerability scans to ensure adequate protection of consumers in vulnerable positions.

Organisations must carry out an annual review to confirm and document the scope of their operations, and therefore which of the four compliance levels they should maintain. These reviews should include details on things such as technical processes and data flows. All reports carried out as of 1 April will be assessed for compliance against PCI DSS 4.0. Firms that completed an annual assessment prior to this date, for example in February, are not required to carry out another review until next year.

Although the PCI DSS is not legally binding, failure to comply with standards can result in monthly fines from the PCI Security Standards Council. These fines can be for as much as six figures depending on the volume of clients and transactions handled by the provider in breach. Businesses may also face suspension of the right to accept credit cards if in breach. Lack of compliance may also increase a firm’s risk of suffering a data breach and associated fines, such as penalties issued by the Information Commissioner’s Office (ICO).

Julia Varley, cyber risk expert at Pinsent Masons said: “Historically, the ICO has taken strong enforcement action when a cardholder’s data has been compromised. This update will help organisations firm up resilience and will certainly help reduce the risk of things such as skimming attacks and, as a consequence, the risk of regulatory enforcement plus the associated reputational damage caused.”

Gibbins added: “Being PCI compliant not only gives peace of mind but it can make a business stronger and more resilient. Compliance showcases that organisations are prioritising the protection of customer’s cardholder information and contributing to a more secure payment card environment.”