If your business accepts credit cards, you need to comply with the new Payment Card Industry Data Security Standard (PCI DSS) 3.2 regulations by February 2018
PCI DSS has been in force since 2004 and is designed to help you protect customer data before, during and after card purchases.
In April 2016, PCI DSS version 3.2 was released, and the new regulations will help your business manage information security more effectively.
PCI DSS is a collection of data security practices and controls that prevent card payment information from being used fraudulently
PCI DSS mandates data security best practices. It contains 12 core points relating to:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management programme
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy.
However, the evolution of payment methods – recent years have seen the emergence of mobile payments, for example – has led to new vulnerabilities when it comes to customer payment information.
Updates to PCI DSS regulations, including the recent introduction of version 3.2, reflect this shifting situation.
Multi-factor authentication is the main change introduced in PSCI DSS 3.2
Multi-factor authentication means that you need at least two credentials to authorise access to card data and systems. In other words, a password on its own is no longer sufficient, even if you’re working from a trusted internal network.
The changes apply to everyone with access to the cardholder data environment, including administrators who have the power to change systems and settings.
Service providers must also adhere to more robust controls
Your service providers play a key role in protecting customer data. You can have rigorous procedures in place, but breaches can still occur if third parties don’t also adhere to high security standards.
PCI DSS 3.2 introduces several new requirements for service providers
For example, they must meet criteria around oversight and failure detection mechanisms. They must test their systems more regularly and provide additional evidence of the controls they have in place. The new requirements also make PCI DSS compliance an executive-level responsibility for service providers, ensuring that information security is part of core strategy and focus.
Everyone involved in information security has an interest in PCI DSS compliance
If you’re not sure how to go about making changes, start by making sure your business works with compliant service providers – payment gateways and shopping carts, for example.
You may also find it useful to appoint a Qualified Security Assessor (QSA) to help you work out the precise steps you need to take to become compliant. A QSA is an assessor not an auditor, and it’s a partnership aimed at helping you achieve success.
All QSAs have to be part of a certified company: check out this list of approved providers on the PCI website. Look for one with SME experience in your sector.
Most of the changes introduced in PCI DSS 3.2 are best practice until 1 February 2018
However, it’s best to be proactive so you’re compliant in plenty of time for the deadline.
It’s more likely to take SMEs time to comply because many of them lack specialist IT expertise. Given that SME directors wear several hats, handling everything from HR to business development and IT, finding the time and the resource to devote to information security is a constant challenge.
So bear in mind that it takes time to replace authentication processes and negotiate new contracts. You may also need to implement cultural changes within your organisation. This often involves training staff on how card payments are processed and what their responsibilities are. And seek specialist support from a QSA to help you get compliant, sustainable processes in place.
Once you implement those processes, it’s important to treat PCI DSS as an ongoing commitment. Not only will this make your business more secure, but it will also help you offer a better service to your customers.
- Companies that accept credit card payment must comply PCI DSS 3.2 by February 2018.
- The main change affecting SMEs is multi-factor authentication.
- Your service providers must adhere to more robust controls under PCI DSS 3.2, so make sure your partners are compliant.
- Even though you don't need to have all changes in place until February 2018, it's best to be proactive because it can take time to make your processes and systems compliant.
- If you want or need help with compliance, consult a certified Qualified Security Assessor (QSA) with SME experience in your sector.
Get more tips on how to put best practice SME finance and IT systems in place. Download: Get 70% More Value from Your Finance Systems: The Business Leader’s Guide to IT Strategy