Do you deal with payment cards? Did you miss the PCI SSC Community Meeting? Let me get you up to speed.
Last week in Portland, experts and professionals from the payment card industry came together to discuss the latest data security and compliance developments. Among the many valuable insights, a few themes stood out.
- The clock on PCI 3.2.1 is running out:
In just six short months, PCI 3.2.1 is set to retire.
What does this mean? Organizations that handle payment card data need to get ahead of PCI 4.0 ASAP. The changes between versions are significant, and making the appropriate updates to reach compliance may take longer than expected.
2. Get to know requirements 11.6.1 and 6.4.3; you’ll hear them nonstop.
Here's a quick refresher:
11.6.1: Organizations need to deploy a change-and-tamper detection mechanism to alert for unauthorized modifications to HTTP headers and contents of payment pages.
6.4.3: For all payment page scripts that are loaded and executed in the consumer’s browser, a method must be implemented to confirm that each script is authorized and to assure the integrity of each script.
If you are outsourcing payment pages, using iFrames, redirects or handling them yourself - these requirements will apply. Moreover, they're in scope for every SAQ level, all the way down to SAQ - A!
For these requirements, meeting compliance may be a heavier lift than expected. These are some of the concerns I heard:
- How do you satisfy these regulations without causing serious damage to business operations?
- Should organizations forbid developers from using script libraries?
- Is purchasing a product to alert them to changes in HTTPS headers a viable solution? (And what happens if those alerts go off at 3 a.m. on a Saturday morning?).
The roadmap to PCI 4.0 compliance can be overwhelming, and addressing these questions will require a strategic approach. However, with the right planning and tools, organizations can meet compliance without breaking the bank.
Here are my tips for organizations navigating PCI 4.0:
- Communication is key: IT and Development teams will play a critical role in implementing changes to meet these requirements. Make sure your team is well informed of the changes to PCI 4.0 and has a good understanding of new expectations.
- Find a quality solution: Rather than outright forbidding script libraries, organizations can explore compliance technology solutions that enable secure script management. These tools can help verify script integrity and authorization while minimizing operational disruptions.
- Expect more from third-party products and services: For organizations that outsource their payment pages, conducting thorough assessments of third-party vendors is essential. Ask if they are PCI DSS compliant, how regularly they conduct security assessments and if they are willing to be assessed by an external auditor.
- Invest wisely: When choosing a new product or service to help with compliance, look beyond the initial cost. Some products and services may demand the time and oversight of a dedicated employee, which can substantially increase the overall expenses compared to the initial quote. Consider whether the cost of using and managing a product justifies a lower-priced option, or look for a solution that won’t add to your workload.
- Save your budget by planning in advance: Adequate time and resources need to be allocated for implementing changes and upgrades. Waiting until the last minute can result in expensive, rushed solutions that may not meet the necessary security standards.
- Embrace the Journey: Remember that compliance is not a one-time effort but an ongoing process. Stay up-to-date with the latest compliance updates, ensure your staff remains well-informed through continuous education and training, and regularly assess your security measures to stay ahead of evolving threats.
The upcoming shift from PCI 3.2.1 to PCI 4.0 poses big challenges for payment card industry players. Navigating requirements like 11.6.1 and 6.4.3 can be tricky, but with smart planning, teamwork, and the right tech tools, companies can stay compliant without causing major disruptions.
Written by Lindsay Kleuskens, Business Development of DataStealth.io