Geoff Forsyth, CISO, PCI Pal explains how, as credit card fraud rises, businesses have two years to make important updates to protect customers and themselves.
Payment card fraud is a serious business risk. In a 2020 review of payment industry fraud by UK Finance and LexisNexis, they found that payment card fraud reached £574 million on UK-issued cards, a 3% year-on-year increase in the total number of reported fraud cases.
It is a contractual obligation, set by the card payment brands, for all organisations that handle customers’ credit card payment information to comply with the Payment Card Industry Data Security Standard (PCI DSS). But what exactly is the PCI DSS?
It was introduced in 2004 by Visa, Mastercard, American Express, JCB International and Discover Financial Services. It is a standard providing 12 distinct requirements helping organisations to safeguard their customers’ sensitive payment card data.
Importantly, it applies to any firm handling payments, regardless of size, industry, transaction volumes or whether the payments are handled online, over the phone or digitally.
If a transaction involves the storage, processing or transmission of sensitive data through the organisation’s networks, then PCI DSS compliance is a must.
Not only that, the safe and secure handling of payment card information is increasingly important to customers.
Research, conducted by PCI Pal in October 2021, emphasised the importance of safeguarding data, in order to maintain customers’ loyalty.
The study revealed 62% of consumers said if a brand they knew had been subject to a data breach, they would stop shopping with them. Over a quarter (26%) said this halt on spending would be indefinite. It therefore shows it is important to get this right.
Organisations are, however, struggling to achieve and maintain effective year-round payment card data security compliance.
In Verizon’s 2021 Payment Security Report, it disclosed nearly three-quarters of organisations (about 72.1%) focus on passing an annual PCI DSS compliance assessment instead of maintaining truly effective and sustainable control environments.
An updated version of the PCI DSS Standard – PCI DSS v4.0 – was released at the end of March 2022, with a two-year implementation timeline given to merchant organisations to make the necessary changes and adopt.
The new Standard has been introduced to account for technological advances in the payments arena, accelerated digital service adoption, the increased move to remote working, as well as evolving cyber threats, all of which demand more robust protections around the card data environment.
While the twelve core requirements remain, PCI DSS v4.0 introduces three significant changes including customised implementation of the Standard for merchants, mandatory multifactor authentication and continuous security testing.
The requirement to encrypt cardholder data has also been extended to trusted networks as well as public networks.
With the continual evolution of cybersecurity threats, it is important to make sure that any environment handling payment information is not exposed to new attacks.
As such, version 4.0 requires PCI approved Qualified Security Assessors (QSAs) to actively test merchants’ environments, processes and infrastructure over an extended period, replacing one-off annual audits, which simply provide a ‘snapshot’ in time of an organisation’s security compliance.
With a refreshed emphasis on continuous security processes, PCI DSS 4.0 should help organisations make continuous testing part of its ‘business-as-usual’ culture and we hope to see the percentage of companies achieving and maintaining year-on-year compliance increase, as a result.
To comply with PCI DSS v4.0, all access to the card data transaction environment must be protected with multifactor authentication (MFA). Passwords for accessing payment and control processes must also be lengthened and strengthened by using at least 12 characters and including a mixture of numbers and letters.
Version 4.0 allows merchants to design their own data security and access controls to comply with the core intentof the Standard, which is to protect customers’ payment card data. This gives enterprises far greater flexibility to adopt new technology or enhanced security solutions that support their requirements.
Plus, it means organisations can keep up to date with emerging consumer payment methods (and evolving threats) that face their payment and IT ecosystem.
Merchants that adopt this strategy do need to be subject to independent verification via a PCI approved QSA.
Treading the fine line between securing every transaction, without interrupting or elongating the customer experience is something that needs to be taken into consideration.
After all, while it is understandably important to have firm security processes in place, you don’t want these to impact the overall customer experience, leading to frustration, purchase abandonment or customer trust being impacted.
One of the most effective ways to comply with the intent of PCI DSS v4.0 – and protect your customers’ data – is to leverage the cloud to descope your infrastructure by not storing any payment card data within your organisation’s systems.
My advice is to ensure that this is looked at from a holistic point of view however, involving your telephony partner, CRM platforms and sewing them together with a compliance solution that integrates with your existing technologies. This removes the need to reinvent the wheel, start from scratch or have a big ‘change’ project on your hands.
You also need to consider compliance from an omnichannel support perspective – while a large proportion of your transactions may today be over the phone or online, make sure you have considered alternative payment channels, such digitally assisted channels such as web chat.
This was discussed at a recent conference I attended. The growing ‘conversational commerce’ trend, whereby digital channels such as WhatsApp are being increasingly used to communicate with customers and also to generate revenues through in-app purchases.
This places an even stronger emphasis on getting the experience right, no matter what shopping method is being used by the customer. It is important for every customer to have a consistent experience, regardless of how they choose to interact with your brand.
The countdown to 2024 is officially on to adhere to the new standard, PCI DSS v4.0.
With just under two years to transition from the old to the new, it allows time to focus on the required organisational changes, budget accordingly and work with colleagues to make PCI compliance part of the ‘day to day’.
My advice is to create a comprehensive transition plan, which can be implemented once the new Standard is enforced.
Once in place, it will not only support your future omnichannel payment strategies but provide confidence to senior internal stakeholders as well as to customers that payments are being transacted in the most safe and compliant way.
A win-win for all involved.
For more information, visit: www.pcipal.com
This article was originally published in the July 2022 edition of Security Journal UK. To read your FREE digital edition, click here.