The risk and compliance culture has changed drastically globally over the past while and compliance standards have had to evolve to keep pace. The aim is to protect the consumer, the provider and the payment data. The Payment Card Industry Data Security Standard (PCI-DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.
The standard
Since the early 2000s, the Payment Card Industry Data Security Standard (PCI-DSS) has been on a journey to enhance the security of card payment data. As current events emerge – think the pandemic and Ukraine-Russian war – coupled with increasing cyber attacks, these have all placed additional pressure on the security of data. The PCI-DSS version 4.0 has been launched to address emerging threats and new advanced digitised technologies that cyber criminals are looking to exploit. Monica Peethum-Nanoo, manager for Risk and Compliance at Altron FinTech, says PCI-DSS has evolved over the years as a global standard that provides a baseline of technical and operational requirements designed to protect account payment data. Although organisations have some time to implement changes for the new version of the standard, businesses need to prepare to phase in new requirements that are identified in the standard.
How it’s changed
The latest version aims to enhance the standard so it continues to meet the security needs of the payment industry and promotes security as a continuous process, providing flexibility and enhancing validation methods. When customers provide a company with their payment information, they trust that their data will be transacted securely. Trust is at the heart of every payment transaction. To ensure that businesses meet that expectation, the Payment Card Industry Data Security Standard was created.
For the first time ever, there’s been a drive within the industry to ensure that the standard covers all of the stakeholders, with overwhelming feedback provided by the industry globally. “This is the first time that we’ve seen such an awesome collaborative engagement in the payment card industry, with industry and various stakeholders collectively engaging to enhance the standard so that it protects card payment data the way it should in the future.” The critical components of securing credit card data – the 12 core PCI-DSS requirements – will not undergo any major changes. However, updates to strengthen security control requirements and add flexibility for organisations to achieve compliance will be the foundational advancements in security technology, risk mitigation techniques and evolving cyber threats.
When it comes to compliance, change is constantly on the horizon. Compliance with PCI DSS is crucial to retaining your customers’ trust, thus avoiding the never-ending stream of attacks from cyber criminals is critical. The new version of the standard introduces increased flexibility in terms of the different methodologies that organisations can use to achieve their security and compliance objectives. This version of standard also offers enhanced validation methods, making reporting and validation simpler and more transparent than ever before.
The changing risk and compliance landscape
The payments landscape evolved and became increasingly digitised during the pandemic to the extent that most individuals and businesses are now making payments using different devices and a multitude of platforms. Keeping payment data secure across all of these methods and platforms is another factor for the PCI-DSS 4.0, including a more flexible approach to achieving the requirements it sets out.
With innovation and technology becoming more digitised, this has also increased cyber security risk. Compliance has had to be enhanced to ensure these risks are managed and mitigated – and the PCI-DSS is no exception – having evolved over the years on an ongoing basis to keep pace with trends in risk and compliance that are continuously changing as the world is changing.
“Risk and compliance with due diligence helps organisations make informed strategic business decisions about the impact of emerging risk. Business has to make sure its compliance and risk frameworks are continuously updated and improved to accommodate changing risks.
“We must ensure that the implementation of the PCI-DSS v4.0 standard continues to meet the security needs of the payment industry and offers security as a continuous process. Protecting payment card data requires that controls and methodologies be deployed and implemented at the provider before certification can be achieved. Achieving this compliance standard can’t be a box-ticking exercise, it’s a business-as-usual approach of integration and inclusive of security best practices. The aim is to enhance the provider’s systems to protect payment data. It’s crucial for customers to know that when they are transacting with a provider, their data is in a trusted, secure environment.”
In summary, the changing risk and compliance landscape requires a new thinking to agile approaches that’s always evolving. It needs to be constantly evaluated across the entire ecosystem to identify emerging potential vulnerabilities and risks. “Before partnering with a provider, do your due diligence and ensure they’ve attained the right level of compliance for their business,” advises Peethum-Nanoo.
Share