PCI Security Standard Council has made incessant efforts to ensure that app-based payment companies are functioning within the safety blanket. Continuous ignorance from Fintech organization has coaxed PCI Council into introducing norms that hold them liable for the damage.
In a recent study, it was found that 59% of Fintech organizations have flunked PCI DSS requirements in the past. The new norms and security standards will hold software vendors, payment facilitators, and merchants liable for heavy fines if found in violation of compliance requirements.
PCI SSC (Security Standard Council) is vigilant towards the growing enemies of online payment. The huge amount of transactions owing to billion-dollar valuation invites trouble that needs to be addressed strictly. By keeping up with the technological changes and landscape development, PCI SSC helps vendors, organizations and payment facilitators ensure full security of cardholders’ data.
Based on the feedback by industry leaders, PCI SSC and ASC X9 collaborated to create a Unified PIN Standard. ASC X9, the Accredited Standards Committee X9 is the USA’s Technical Advisory Group that develops and promotes standards for the financial services within the boundary of the United States of America.
Earlier, enterprises that were located or operating on data of US citizens were required to furnish both PCI as well as ASC compliances. With this collaboration over the creation of Unified PIN Standard, enterprises functioning within the USA will now have to get PCI Audited only.
ASC and PCI Council collaborated to create one pin because two pins with different content were confusing the industry leaders. The collaboration was officially published in version 3.0 of the PIN security. By November 2019, ASC started withdrawing X9 TR39 and made PCI Standard the sole requirement.
Industries impacted: Fintech Organizations, E-commerce platforms, SaaS companies.
Based on requests by industry leaders, PCI Council published norms on 12th December 2019 that simplifies the process for component and solution providers to validate their P2PE products for cardholder’s data protection efforts.
Vice President, Troy Leach cleared the air that “the basic technology is not changing, it is just evolving to make space for new modes of payment”. The VP also explained the changes will help industry players furnish PCI DSS requirements more easily.
The changes introduced on 12th December are based on the feedback received on Request for Comment (RFC) conducted by the PCI DSS Council. The core tech remains the same as PCI DSS V2.0 but V3.0 will provide facilitators with more flexible options to furnish PCI compliance and P2P transactions.
Industries Impacted: Every industry that receives online payments or stores cardholders’ data.
The changes introduced on 4th December were in lieu of the growing use of technology in receiving payments. Methods like “Near-field Communication” are becoming the mainstream mode of payment for millennials.
The new standards introduced on 4th December focuses on making these contactless payments more secure. Owing to the changes, merchants will be able to receive payments using Commercial-off-the-shelf devices more securely.
PCI CPoC standard includes detail information related to requirements merchants will have to furnish. Furnishing these requirements will help merchants offer customers with options like tap and go and NFC payments.
Industries Impacted: Retail stores that use Point of Sale devices to receive payments.
Payment Card Industry Security Standards Council launched a new assessor qualified program to support the PCI Software Security Framework. The new program helps businesses and PCI QSA offer robust compliance services to willing organizations.
The new PCI SSC programs also allow organizations and their employees to furnish self-assessments and acquire the requisite certification. Employees can perform assessments to the Secure SLC and Secure Software Standards. Organizations that offer a comprehensive PCI compliance service that includes audit and certification will be immensely benefited from the new standards.
The new norms expand the scope of the inclusion of new technology and software packages. The new standards will support varied other technologies and software that were previously excluded, leading to easier audits and certifications.
New and existing PCI Assessor can apply on the PCI SSC website to become eligible for offering SSF compliances to other organizations. Norms introduced on 2nd October is a move that increases the inclusion of QSAs who work on remote technologies with limited customers.
Industries Impacted: Cyber Security Organizations that offers PCI DSS Certification
On 26th June 2019, PCI SSC announced two new validation programs to ensure development practices followed by payment software vendors and software products abide by the 12 PCI DSS requirements.
The two new validation programs make it compulsory for software vendors to demonstrate their development practices and make their payment software products more transparent for PCI SSC.
These validation programs were introduced as a part of the PCI Software Security Framework that looks over the design, development, and maintenance of payment software tools.
Industries Impacted: Software vendors involved in the creation of payment software interfaces.
Payment Card Industry Security Standard Council, which comprises of Visa, American Express, JCB and MasterCard, works in collaboration with other industries to offer a better experience to end-users without compromising with the overall security.
While some of the recent changes improve the overall customer experience, the other norms look after the security of cardholders’ data without taking away much from the software vendors.