The Payment Card Industry Data Security Standard (PCI DSS) is a wide-reaching set of security standards that applies to companies that process payments and hold, process, or store cardholder data. Basically, most companies. This is a standard formed by credit card companies, and non-compliance can result in heavy fines.
Aside from being a standard companies need to adhere to if they are to work with these organizations, the standards are designed to protect important financial information, ensure the organization has an infrastructure in place to secure cardholder data, and to ensure prevention, detection, and monitoring elements are in place within an organization. Non-adherence isn’t just financially risky, but will result in a less secure environment and may play a part in data breaches and exposed files.
Many data breaches that include compromised cardholder data often lead to an investigation to determine if the affected organization was non-compliant. More often than not, they are found to have lacked key PCI DSS standards of security and are often fined, as a result, making an already troubling data breach even more consequential.
Recently, a new update to PCI DSS (PCI DSS 4.0) was introduced. It’s expected to go into effect in March 2024, so it’s important for companies to prepare themselves and ensure that they are able to meet these new compliance revisions.
In this article, we’ll go over these updates and why it’s so important to adhere to PCI DSS compliance.
What’s new in PCI DSS 4.0
The current PCI DSS standard that’s in place is 3.21 and it will still be the case until March 31st 2024, when 4.0 will be in effect. You can view both versions on the official PCI DSS website here as well as a Summary of changes from 3.21 to 4.0.
However, while organizations have slightly over a year to ensure they’re compliant with the new update, we don’t recommend waiting until the last minute. Some of these updates may require additional stakeholders, departments, budgets, technologies, and vendors to be involved.
Many of the changes in PCI DSS 4.0 are designed to be a bit more flexible and understanding of the fact that many organizations have complex data environments, wide-ranging infrastructure types, and that data security can come in many ways and often, via third-party vendors.
A few of the key changes include:
- Improved account security, specifically regarding passwords and user authentication
- Requiring stronger and more robust discovery and monitoring of sensitive data
- Expanding the scope of entities to whom PCI DSS applies
- Clarifying the use of third-party service providers that manage CDE (Cardholder Data Environment) and what assessments are required
- Updating and clarifying how to approach cloud and serverless workload security
- Focusing on maintaining security as a continuous and ongoing process
Why is PCI DSS compliance important?
PCI DSS affects any merchant, business, service provider, or organization that stores, processes, or transmits payment cardholder data – meaning it applies to nearly any organization.
These are regulatory standards set by the Payment Card Industry Security Standards Council (PCI SSC) and it’s a mandate that’s agreed upon by any organization working with credit card organizations. That means that fines and penalties are levied by these credit card companies if non-compliance is found.
How data breaches uncover non-compliance
Organizations are often found to be non-compliant with PCI DSS when they suffer a data breach. Payment card partners investigate the organization to assess whether they were PCI DSS-compliant at the time of the breach. Depending on the data breach, state and federal governments may conduct an investigation and lawsuits may follow from affected consumers. If it’s found that an organization was non-compliant when they suffered a data breach, it can make any outcomes much worse for the affected organization.
If they’re found non-compliant, they may be susceptible to a number of fees and fines that could include:
- Increased transaction fees
- Compensation fees associated with affected consumers
- Costs associated with forensic investigations
- Fees related to associated lawsuits
Exact amounts of fines range widely, from $5,000 to $100,000 a month depending on how long the company was found to be non-compliant. Customer compensation fees can range from $50 - $90 per each customer affected.
This is why when a data breach leaks millions of customers’ data, it can get costly quickly and why some of the most expensive data breaches have such high price tags associated with them. For example, the famous Target data breach that resulted in 40M credit card numbers being leaked ended up in a $18M+ settlement and cost Target over $200M in fees. Equifax’ data breach in 2017 that affected over 145M people ended up costing the company more than $400M dollars.
How organizations can improve their compliance efforts
Achieving compliance can be difficult for some organizations who are likely to face tighter budgets and fewer resources in 2023. Rehauling and ensuring that the company’s infrastructure is updated for PCI DSS 4.0 can be difficult, especially if you wait to start.
We recommend going over the PCI DSS 4.0 updates and summary of changes and identifying gaps in non-compliance. Once you have a list of what requires an update, you can prioritize updating your organization to achieve compliance by how complex the update is and what other departments and stakeholders are required.
One helpful option organizations have available is leveraging key managed service security partners like MDR providers. These services can support your organization and help you meet key requirements to get your organization up to date with PCI DSS 4.0. They can also help you obtain certifications that demonstrate compliance, perform successful audits, and help maintain compliance as a continuous and ongoing process.
Depending on what MDR partner you work with, you may be able to rely on them to help simplify the overall process and guide you through the process of achieving compliance. They can also be the responsible for certain protection and security services required by PCI DSS 4.0 including:
- Installing and maintaining network security controls
- Applying secure configurations to system components
- Protecting account data
- Maintaining a vulnerability management program
- Implementing access control measures
How an MDR service can help achieve PCI DSS 4.0 compliance
To get a better understanding of how MDR partners can help companies with their compliance efforts, check out our PCI DSS 4.0 white paper. You’ll learn:
- The 12 PCI Security Standards and what’s required by organizations to stay compliant
- The specific changes that PCI DSS 4.0 brings to help organizations prepare for the incoming standard change.
- Which requirements organizations are most likely to struggle with achieving
- How MDR services help organizations stay compliant
- Key benefits of MDR and XDR services beyond compliance support.
Learn how Bitdefender MDR can help you with PCI DSS compliance here.