business security

Introducing important changes to credit card data security standards

David Strom 19 Apr 2022

Credit card issuers and online businesses will have two years to implement the changes.

Since we last wrote about Payment Card Industry Data Security Standards (PCI DSS), the organization has made a series of updates to its standards with its latest version 4.0. It contains several important improvements, which we'll break down in this post.

What's new in PCI DSS v4.0?

First off, the newest version of the PCI guidelines reflect that security has become a continuous process. This means that businesses will have more flexibility in how to achieve various security objectives, including how to quantify risks. One consequence of these changes is in the standards language around firewalls, which has been replaced by more general “network security” terms as well as a bigger emphasis on a more comprehensive zero-trust perspective. These items show the maturing of the standard and how data security practice has evolved over the past several years since the standard was first formulated.

PCI has partnered with Europay, Mastercard, and Visa to implement the use of the 3DS Core Security Standard during transaction authorization. This standard has already been implemented by the major credit card companies and goes by their brands such as Mastercard Identity Check, American Express SafeKey, and Visa Secure. The standard is designed to reduce fraud, particularly with online transactions, and embeds the authentication dialogs directly into the checkout workflows so that the purchaser would have a more frictionless ecommerce experience. The 3DS standards “will improve dynamic authentication for e-commerce and m-commerce environments as well as keep up with the increased usage of mobile payments and protect these transactions from fraud,” says Emma Sutcliffe of the PCI organization.

Perhaps the most important change is the expansion of encryption and MFA requirements to protect all accounts that have access to cardholder data.  The standards also require annual password changes, with 15-character minimums and a review of access privileges every six months. Taken together, this means better data protection but more work for businesses and banks to implement these tools.  

As you can see from the timeline graphic below, credit card issuers and online businesses will have two years to implement the changes, which will give them time to formulate their plans and test the new authentication and encryption processes.

Image credit: PCI DSS

While these changes are more evolutionary than revolutionary, there are some important takeaways for SMBs in particular:

  • First, if you haven’t yet implemented any MFA for your customer accounts, now is the time to put a plan in place and determine how you will become compliant with the v4.0 regulations.

  • Second, you should also audit how your cardholder data is stored and ensure that the appropriate encryption is deployed.

  • Finally, you should audit your online ecommerce workflows to also ensure that they will be compliant with the new PCI DSS v4.0 rules.

Further reading: How to ensure the safety of online transactions for your business