The subject of data security is often shrouded in mystery, with a multitude of acronyms from a combination of industry buzzwords and regulatory bodies to comply with, often leaving practitioners confused. However, for businesses that rely on e-commerce or card transactions for payment, there is one acronym that must not be ignored...
What is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) is a global information security regulatory body in charge of protecting card holder data, founded by the world’s leading financial companies American Express, Discover, JCB, MasterCard, and Visa. Regulations set by the council are enforced through the Payment Card Industry Data Security Standard or PCI DSS. This universal standard holds any organization that accepts, transmits, or stores any cardholder data accountable to a strict set of rules based on annual transactions, regardless of organization size.
While the scope of PCI DSS compliance can vary depending on the number of transactions, any merchant that processes more than 6 million transactions per year is obligated to comply with the most comprehensive controls. Similarly, any merchant that is expected to meet this highest level of scrutiny is immediately escalated to a higher level of accountability. Furthermore, any merchant that has suffered a data breach leading to compromised accounts may be considered for a higher PCI DSS validation level, regardless of how many transactions they process annually.
What will change with PCI DSS 4.0
As technology, threats, and industry requirements evolve, so too does PCI DSS. The next version, PCI DSS 4.0, is expected to be completed by the end of this year, with supporting documentation to be released within a few months thereafter. While the main 12 requirements are not anticipated to change in any drastic way, one of the main goals that stands out is to “promote security as a continuous process.”
With the shift to security as a continuous process, it is paramount for any organization in the payments industry to have all their (security) ducks in a row, but how?
How to enable security as a continuous process
When it comes to securing cardholder data, PCI DSS requires primary account numbers (PANs) to be unreadable wherever they are stored. For over a decade, data-centric security has been the protection method of choice for many retailers and financial organizations of all sizes for enabling compliance, not just with PCI DSS, but also with a host of other data protections standards and regulations. The advantage of data-centric security tools, like tokenization, is that it protects the data itself, not simply the perimeter around information storage. Tokenization can even take data out of scope of PCI DSS.
What security as a continuous process means in a practical sense is that critical controls will be tested more frequently. So not only should cardholder data be protected, it should be possible to prove it’s protected on shorter notice.
When it comes to compliance, cutting corners can result in huge regulatory fines and devastating impact to brand reputation. Don’t delay; find out where you're storing sensitive data, classify it, and protect it appropriately.