The Payment Card Industry Data Security Standard (PCI DSS) lays out a series of requirements for companies that handle credit card data. This includes the need for annual recertification. As AllSecure recently completed recertification, and PCI DSS 4.0 was announced this year, we took this as an opportunity to take a closer look at PCI DSS.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card schemes and sets baseline requirements to protect account data and encourage global data security measures. Complying with PCI DSS is required for any business that processes credit or debit card transactions. Certification is required on a regular basis, and the process depends on the processor’s compliance level. There are 4 levels in total, with Level 1 the most stringent, requiring an annual audit by an independent assessor and quarterly PCI scans by an approved scanning vendor.
Meeting the criteria for compliance requires security measures to be in place to safeguard account data, ranging from maintaining security measures like deploying a firewall and antivirus software, to protecting and encrypting card account data. Merchants who process credit card transactions also need to be PCI DSS-compliant, with the compliance level depending on the volume of transactions. Using a certified payment service provider (PSP) or payment orchestration platform (POP) makes it much easier for merchants to meet the more complex security requirements.
By storing credit card information in AllSecure’s secure PAN vault, merchants can demonstrate that they meet the criteria for safeguarding account data. As long as credit card details are not stored or processed directly by the merchant, their PCI DSS scope is reduced significantly. In these cases, merchants may only be required to complete a self-assessment questionnaire rather than undergo a full annual audit.
How does PCI DSS recertification work and how often is it required?
PCI DSS recertification is an annual process. An attestation of compliance is valid for one year and requires an annual renewal. For providers like AllSecure, who are certified at PCI DSS Level 1, certification is performed by an external Qualified Security Assessor (QSA).
The QSA evaluates AllSecure’s payment processes over the course of a week. This involves asking questions about processes and analyzing the configuration of the systems involved in processing payments. The audit covers areas including antivirus software, firewall rules and ensuring that databases do not store sensitive data beyond what is permitted. Upon completion of the audit, an attestation of compliance is issued by the QSA, which is valid for another year.
This recertification process applies to all players involved in payment processing, including the acquirers and providers integrated on our platform. When implementing a new interface, AllSecure checks the provider’s certificate prior to implementation. This check is then renewed on an annual basis - if no updated certificate has been issued for a provider, the connections to that provider are deactivated.
What is PCI DSS 4.0?
Version 4.0 of the PCI Data Security Standards (PCI DSS) was issued on 31 March 2022, and represents the latest iteration of the global standard. It will replace PCI DSS 3.2.1 by addressing newly emerging threats and reflects feedback submitted over the past three years by several hundred organizations. As in any technology industry, the payment industry continually adopts and integrates new technologies, and PCI DSS is evolving to reflect these industry-wide changes.
PCI 3.2.1 will remain in use for a 2-year transition period lasting until 31 march 2024. This transition period will allow organizations to become acquainted with 4.0 and implement any changes required. From 31 March 2024 onwards, PCI DSS 3.2.1 will be discontinued and fully replaced by PCI DSS 4.0. There is an additional year after this date for organizations to implement best practices according to PCI DSS 4.0.
What has changed in PCI DSS 4.0?
A full list of changes would go beyond the scope of this article. If you are interested in PCI DSS 4.0, you can find detailed information on the changes here ( https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r2.pdf ). Some of the key changes include:
- Assigned roles and responsibilities for all requirements, with guidelines on security practices
- Updates that reflect changes in payment technology, making it easier for organizations to meet the security goals through alternative approaches, such as permissions for group, shared and public accounts, targeted risk analyses and new ways of validating PCI DSS requirements
- Improved verification process, aligning the information in compliance reports and self-assessment questionnaires with the attestation of compliance
What does this mean for merchants?
The impact of PCI DSS 4.0 on merchants who do not handle account data directly should be minimal. AllSecure will be PCI 4.0 certified by 2024 at the latest. We would still recommend that merchants get acquainted with the changes in PCI DSS 4.0, and check whether changes from version 3.2.1 impact them in any way.
Meeting more complex PCI DSS requirements, such as storing card account details in a secure vault and protecting the transmission of card data across networks is much easier when handed off to a third-party expert. AllSecure provides the necessary infrastructure to store card details securely, and uses security measures such as tokenization - where raw credit card details are replaced with identifying tokens for recurring transactions - that means that merchants can spend more time focussing on their core business and less time solving security challenges.