Blog | THINKINK

With New PCI Guidelines in Play, How Much is Enough When it Comes to Payments Security?

Written by Vanessa Horwell | May 17, 2016 5:31:26 PM

As the lines between brick-and-mortar, e-commerce, and mobile shopping continue to blur, retailers have little choice but to deliver customers with the best experience possible across all the ways they like to shop: in-store, on a desktop PC, on a tablet or smartphone, or via some combination of all three. Increasingly, delivering the best experience possible means delivering the most secure experience possible – especially when it comes to payments.

Merchants take the customer experience seriously, but are they doing enough to protect consumers from fraud and security threats? Unfortunately, many are asking themselves the same question. In January, ACI Worldwide announced that 75% of retail and technology professionals surveyed cited payments security as the most important feature for their digital channels. Financial-industry stakeholders feel the same way: Recent research from Ovum found that 70% of banks are increasing their investment in payments security technology in 2016.

The continuing problem for merchants and banks – and for every entity engaging in transactions, really – is that it's hard to pin down how much is enough when it comes to payments security. In fact, that's an issue even the standard-bearers of the payments security space can't seem to resolve.

The Payment Card Industry (PCI) Security Council regularly issues new iterations of its security requirements, known as the PCI DSS (for "Data Security Standard"). With a wealth of high-profile data breaches among PCI-compliant organizations in recent years, the Security Council has been on the receiving end of heavy criticism from industry experts – who feel the minimal standard security mechanisms dictated by the organization simply promote "checklist security," rather than comprehensive consumer (or merchant) protections.

By releasing a new set of guidelines, PCI is mitigating that criticism... though not eliminating it. Released on April 28, the PCI DSS 3.2 requirements – which replace the PCI DSS 3.1 rules announced in April 2015 – go significantly further than earlier iterations, requiring more extensive testing, detection, and reporting efforts from organizations to earn compliance. The biggest changes:

• Multifactor Authentication, More Broadly: In an expansion of a more limited application in the prior guidelines, any individual whose network access privileges may enable them to touch payments data is now required to meet the standard of multifactor authentication. (Essentially, this places a more substantive verification requirement on which people inside an organization – or outside it, working remotely – can interact with cardholder data.)

• Expanded Maintenance Expectations: PCI DSS 3.2 places more ongoing requirements on service providers than ever: Merchants and other service providers must demonstrate that they have a "detection mechanism" in place that can respond to a security failure with adequate controls, and must conduct penetration tests on their network at least twice a year.

• Check-Ups & Expert Education: To maintain compliance with PCI DSS 3.2, organizations must run quarterly checks to ensure that their personnel are following all mandated security policies and procedures. In addition, their top executives must demonstrate an understanding of PCI DSS compliance and how it impacts their organizations.

With that last requirement, it's clear the Security Council is placing more of the security burden on internal compliance departments, rather than with PCI itself. In fact, the new guidelines prioritize common-sense best practices across the board through a broader focus on education, verification, and ongoing controls.

And perhaps that's the real future of payments security (and the ultimate answer to the "how much is enough" question). Every organization needs to utilize the right tools and technology to protect their customers to the most impactful degree possible – but it's up to an organization itself, not any compliance checklist, to meet the highest level of security necessary.