PCI Security Standard Council has made incessant efforts to ensure that app-based payment companies are functioning within the safety blanket. Continuous ignorance from Fintech organization has coaxed PCI Council into introducing norms that hold them liable for the damage.
In a recent study, it was found that 59% of Fintech organizations have flunked PCI DSS requirements in the past. The new norms and security standards will hold software vendors, payment facilitators, and merchants liable for heavy fines if found in violation of compliance requirements.
Why PCI requirements changes year after year?
PCI SSC (Security Standard Council) is vigilant towards the growing enemies of online payment. The huge amount of transactions owing to billion-dollar valuation invites trouble that needs to be addressed strictly. By keeping up with the technological changes and landscape development, PCI SSC helps vendors, organizations and payment facilitators ensure full security of cardholders’ data.
Some of the other reasons why PCI requirements keep changing every year are:
- Introduction of new payment methods like NFC and Tap-and-go.
- Changes in router technology to facilitate faster processing of transactions.
- Software development cycle that uses bypass technology to speed-up the overall processing.
- Hardware technological advancements that offer instant payment using commercial-off-the-shelf devices.
5 Latest Developments in PCI DSS includes
1. ASC X9 and PCI SSC Create Unified PIN Acceptance Standards
Based on the feedback by industry leaders, PCI SSC and ASC X9 collaborated to create a Unified PIN Standard. ASC X9, the Accredited Standards Committee X9 is the USA’s Technical Advisory Group that develops and promotes standards for the financial services within the boundary of the United States of America.
Earlier, enterprises that were located or operating on data of US citizens were required to furnish both PCI as well as ASC compliances. With this collaboration over the creation of Unified PIN Standard, enterprises functioning within the USA will now have to get PCI Audited only.
ASC and PCI Council collaborated to create one pin because two pins with different content were confusing the industry leaders. The collaboration was officially published in version 3.0 of the PIN security. By November 2019, ASC started withdrawing X9 TR39 and made PCI Standard the sole requirement.
Industries impacted: Fintech Organizations, E-commerce platforms, SaaS companies.
- Organizations will now have to follow one single standard for payments in the USA and other countries i.e PCI Standards
- Enterprises will not be required to furnish audits for PCI and ASC separately.
- Businesses can now get PCI DSS Compliant and function in the USA without inviting fines by ASC.
2. PCI Council Publishes V3.0 of P2PE Standards & Program
Based on requests by industry leaders, PCI Council published norms on 12th December 2019 that simplifies the process for component and solution providers to validate their P2PE products for cardholder’s data protection efforts.
Vice President, Troy Leach cleared the air that “the basic technology is not changing, it is just evolving to make space for new modes of payment”. The VP also explained the changes will help industry players furnish PCI DSS requirements more easily.
The changes introduced on 12th December are based on the feedback received on Request for Comment (RFC) conducted by the PCI DSS Council. The core tech remains the same as PCI DSS V2.0 but V3.0 will provide facilitators with more flexible options to furnish PCI compliance and P2P transactions.
Industries Impacted: Every industry that receives online payments or stores cardholders’ data.
- Lesser chances of getting caught in the audit web and become liable for fines.
- An opportunity to leverage state-of-the-art technology to offer better P2P payment options without flunking PCI requirements.
3. PCI SSC Publishes New Standards for Contactless Payments
The changes introduced on 4th December were in lieu of the growing use of technology in receiving payments. Methods like “Near-field Communication” are becoming the mainstream mode of payment for millennials.
The new standards introduced on 4th December focuses on making these contactless payments more secure. Owing to the changes, merchants will be able to receive payments using Commercial-off-the-shelf devices more securely.
PCI CPoC standard includes detail information related to requirements merchants will have to furnish. Furnishing these requirements will help merchants offer customers with options like tap and go and NFC payments.
Industries Impacted: Retail stores that use Point of Sale devices to receive payments.
- Organizations can expect a change in the upper-limit on payments that can be processed through NFC.
- Retail stores can offer customers with a seamless payment experience.
- Reduced cases of payment failures or additional payments made because of an incorrect connection between cards and commercial-off-the-shelf devices.
4. PCI SSC Launches new Assessor Qualification Program
Payment Card Industry Security Standards Council launched a new assessor qualified program to support the PCI Software Security Framework. The new program helps businesses and PCI QSA offer robust compliance services to willing organizations.
The new PCI SSC programs also allow organizations and their employees to furnish self-assessments and acquire the requisite certification. Employees can perform assessments to the Secure SLC and Secure Software Standards. Organizations that offer a comprehensive PCI compliance service that includes audit and certification will be immensely benefited from the new standards.
The new norms expand the scope of the inclusion of new technology and software packages. The new standards will support varied other technologies and software that were previously excluded, leading to easier audits and certifications.
New and existing PCI Assessor can apply on the PCI SSC website to become eligible for offering SSF compliances to other organizations. Norms introduced on 2nd October is a move that increases the inclusion of QSAs who work on remote technologies with limited customers.
Industries Impacted: Cyber Security Organizations that offers PCI DSS Certification
- PCI QSAs can now increase their reach and help smaller organizations with not so sophisticated technologies get PCI Compliant.
- Cybersecurity organizations can now offer more comprehensive security against unauthorized access to cardholders’ data.
- Opportunity for organizations to get registered as assessors and help other enterprises get compliant.
5. PCI SSC Announces New Validation Programs for Payment Software Vendor
On 26th June 2019, PCI SSC announced two new validation programs to ensure development practices followed by payment software vendors and software products abide by the 12 PCI DSS requirements.
The two new validation programs make it compulsory for software vendors to demonstrate their development practices and make their payment software products more transparent for PCI SSC.
These validation programs were introduced as a part of the PCI Software Security Framework that looks over the design, development, and maintenance of payment software tools.
Industries Impacted: Software vendors involved in the creation of payment software interfaces.
- The overall security of cardholders’ data increases.
- The lifecycle of the tested software package increases and the overall cost of maintenance decreases.
Payment Card Industry Security Standard Council, which comprises of Visa, American Express, JCB and MasterCard, works in collaboration with other industries to offer a better experience to end-users without compromising with the overall security.
While some of the recent changes improve the overall customer experience, the other norms look after the security of cardholders’ data without taking away much from the software vendors.