Companies That Accept Credit Card Payments Must Meet New Security Requirements To Avoid Consequences

Much has been written from various places about the new PCI DSS, or Payment Card Industry Data Security Standard, requirements that go into effect March 31, 2024.

With PCI DSS 4.0 nearing its effective date, company decision-makers should already be planning and implementing resources and processes to comply with the new regulations. It will impact all companies that accept credit/debit card payments.

What is PCI DSS 4.0?

PCI DSS has 12 core requirements that create a compliance framework designed to keep payment card account data and the global payment industry safe. PCI DSS 4.0 is the most recent version the PCI DSS standard.

While these  requirements were not inherently changed with the update to PCI DSS 4.0, updates were made in order to keep security measures up to par with the state of e-commerce by addressing technology advancements, new threats and to clarify responsibility of the card takers and card processor.

Some of the new and updated requirements address security inefficiencies from earlier standard versions, and others provide more effective methods for safeguarding cardholder data. The updates fall under one or more of these goals for PCI DSS 4.0:

• Continue to meet the security needs of the payment industry
• Promote security as a continuous process
• Introduce flexibility for different methodologies
• Enhance validation methods
• Clarify secure processing responsibilities

Continue To Meet the Security Needs of the Payment Industry

There are now more stringent requirements for multi-factor authentication and password lengths, making the standard more aligned with the NIST’s guidelines on digital identity. Phishing protection is also addressed and must now be automated to help minimize the success of phishing attempts.

Promote Security as a Continuous Process

Roles and responsibilities for executing the mandated compliance activities need to be documented, assigned and understood.

Introduce Flexibility for Different Methodologies

New requirements provide for more implementation options and support payment technology innovations to give companies more leeway to design their own security controls to meet their security goals.

Enhance Validation Methods

In addition to the traditional defined-only approach, new requirements for validation and reporting options allow for an objective-based customized approach.

Clarify Security Processing Responsibilities

There are secure processing responsibilities from both the processor’s side of the transaction and from the company taking credit/debit cards in order to process a transaction. Either or, or both, can be found negligent if their requirements are not met.

Who Does PCI DSS 4.0 Apply To?

Complying with PCI DSS standards is essential for issuers, merchants, service providers and any other organizations that store, process or transmit credit/debit card information.

What Are the Consequences of Noncompliance?

In addition to legal fallout and loss of cardholder trust from customers if non-compliance causes data theft or a security breach, non-compliant companies can face other serious consequences.

Payment processors or merchant service providers may assess a larger fee if a company fails to meet the minimum-security standards for processing payments. Depending on the size of the company and the duration and scope of the non-compliance, PCI non-compliance fees can be as much as $100,000 per month.

Credit card companies may even cancel a company’s card for non-compliance with PCI DSS 4,0, and a non-compliant company’s merchant account can be suspended by its bank or payment processor, leaving them unable to accept credit card payments.

Companies may also be placed on the MATCH list for not complying with PCI DSS.

What is the MATCH List?

The Member Alert To Control High-Risk Merchants (MATCH) list was created by Mastercard as a way to identify merchants who have been designated as high risk. Banks, payment processors, lenders, card issuers and other financial institutions use the list when determining whether to conduct business with a merchant.

Companies that are added to the list may include those that had previously terminated a merchant account or those that conduct a business that is considered risky for payment processors. In addition to non-compliance, merchants can be added to the list for excessive chargebacks, fraud or bankruptcy.

If your company’s merchant account is currently in good standing, it will not be affected by being added to the MATCH list, but your company may be unable to open new accounts.

How Do I Know if I’m Compliant With PCI DSS 4.0 or Not?

To be compliant, you need to fulfill the obligations dictated by the requirements in a manner that is best suited for the risk to your company.

This is a process you can begin yourself by determining your company’s PCI level, a designation that is determined by how many credit card transactions your company processes annually. You should then complete a self-assessment questionnaire that can reveal how well your company is in compliance with PCI DSS 4.0.

If you find that your company is not in compliance or that you need assistance even getting started on your compliance journey, you should consult experienced technology professionals.

Get Help To Meet the Latest PCI DSS Requirements

To implement PCI DSS 4.0, your company will have to do far more than just adjust security measures. The Warren Averett Technology Group can help your company navigate the complexities of the new regulations and advise you of what is needed to achieve and remain in compliance. Schedule a consultation with us today.