The new PCI security changes were introduced in November of 2018 to help address the rapidly changing landscape. As more technologies like voice over internet protocol (VolP) and interactive voice response (IVR) keep emerging more guidelines must follow to keep customers safe from fraudulent activity.
PCI stands for Payment Card Industry and every organization that captures, processes, stores, transmits, or affects credit card data is expected to comply with the security guidelines established by the Industry.
Following PCI security standards is just good business. Such standards help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide.
PCI security compliance is required by any company using credit cards. This is to ensure that your customers transactions are secure and to protect them against identity theft.
If you decide not to be PCI-compliant then you may get some hefty fines. As criminals develop smarter data breaching techniques, new guidelines will continue to evolve. As such, your businesses must continually update their security protocols to remain compliant with the latest guidelines.
Now we can get into the biggest PCI security changes for 2019.
Phone-Based CNP Transactions
Receiving and sending payment data always carries certain risks. The potential threat of fraud or abuse is much higher with card-not-present (CNP) transactions. This is because it is not as easy to verify the authenticity of the cardholder when they’re not present.
The risk of in person fraud is next to impossible since the wake of EMV credit cards.
EMV cards have embedded security chips which provide unrivaled protection when making in-person purchases. This is why criminals have moved their activity online and to mail or phone-based operations.
If you own a business that uses CNP payments then it is essential to “arm” yourself with fraud detection and prevention tools to validate and authenticate the card being used. Make sure your ecommerce store has features like fraud management which can help reduce the severity and frequency of credit card abuse.
Over the past several years, fraud has substantially increased through CNP payments. Before November of 2018, the PCI security protocols for phone-based credit card processing had not been updated since 2011.
The new PCI security guidelines address the rapidly changing landscape as technologies such as voice over Internet protocol (VoIP), cloud infrastructure and interactive voice response (IVR) become more permanent fixtures of the telecommunications industry.
The exact PCI security standards list of guidelines is over 60 pages. We summarized it into three main categories
People represent the highest risk when it comes to the security of data whether compromises are intentional or accidental. One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization.
In more simple terms, a customer’s credit card date should only be shared on a need to know basis. This ensures that only the minimum required number of personnel have access to account data.
For example, assign roles so that payment card information can be entered by a sales agent, but other staff such as customer service representatives have access only to the masked PAN.
PCI security guidelines specifically addresses physically securing all media.
In the context of securing telephone payments, processes should be implemented and managed to reduce opportunities for fraud of all personnel exposed to account data.
- If encryption technologies are in place, an entity should not store sensitive authentication data after authorization.
- If sensitive authentication data is received and recorded, the entity MUST render all data unrecoverable upon completion of the authorization process.
To prevent unauthorized access by individuals with any malicious intention, policies and procedures should be defined to ensure that all personnel are aware that any unauthorized copying, moving, sharing, or storing of payment card data is prohibited.
The PCI security guidelines is very clear on the requirements and controls necessary to keep technology secure.
Using desktops and other types of terminals introduces risks. To prevent unauthorized access to or diversion of account data from such devices, these technologies should be suitably secured and checked regularly for viruses or other malware as well as for signs of physical tampering.
Any customer database systems, third-party CRM applications, or order-processing systems into or through which account data is being processed, transmitted, or stored should be secured. Phone-based environments should leverage security protocols such as multi-factor authentication, keyboard logging devices and antivirus software to reduce the likelihood of data breaches.
New Framework for Software Vendors
The Payment Card Industry has also updated its Secure Software Standard and Secure Software Lifecycle Standard for software vendors and those who develop payment-dependent applications.
This new PCI security standard is still under development but will eventually replace the older Payment Application Data Security Standard by introducing more validation requirements for both software developers and security assessors.
PCI Software Security Framework
The PCI Software Security Framework is a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software.This software standard along with Software Lifecycle (Secure SLC) Standard should be published by the end of this month.
- The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.
- The Secure SLC Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
This validation framework is anticipated to begin in the middle of 2019. The PCI Software Security Framework includes a validation program for software vendors and their software products and a qualification program for assessors. This validation program will ultimately be incorporated into the PCI Software Security Framework, but it will be a gradual transition.
Have Questions About These PCI Security Compliance Changes?
We know reading through the PCI guidelines can give you a bit of headache so we’re happy to do it for you. Maverick is proud to utilize PCI compliant gateways, which are PCI Data Security Standard, meaning we adhere to the strictest data security standards in the industry, allowing for your cardholder data to be safe!
Our PCI vendor recently began offering up to a hundred thousand dollars in coverage against PCI breaches. This means that even if something does go wrong, you’ll be protected.
If you have questions about becoming or remaining PCI-compliant, schedule a free consultation with our merchant services team today.