As banks get ready to implement a new data security standard created by a payment industry group, there are three areas in which banks, retailers and payment processors need to step up their efforts, experts say: employee authentication, security testing and monitoring of partners' data security.
The PCI Standards Security Council (PCI SSC) kept the 12 tenets of the PCI Data Security Standard (PCI DSS) functionally the same, but have made a significant change toward an outcomes-based approach in the recently released 4.0 version. Retailers and financial institutions will have two years to implement the new requirements. Assessors will wait until March 2025 to verify compliance with the new standard.
The typical bank likely has little remedial work to do immediately in light of the new standard, according to experts at the cybersecurity assessor Schellman, but many advised financial institutions they ought to start working now if they have not already to meet the new standards. Additionally, banks need to worry about more than just whether they are in compliance; they also need to pay attention to what their clients are doing.
Among the biggest hurdles banks and retailers face in complying with the new standards are the expanded requirements on multifactor authentications for employees. Although many banks already have
Multifactor authentication for employees is not new to most banks, Mattei said, but the particular implementation requirements set forth in PCI DSS 4.0 could be. Rather than merely authenticating themselves when they log in at the beginning of the day, employees will need to use a second form of authentication each time they try to access sensitive payment information on consumers.
As for the standards as a whole, Mattei said that larger banks will likely have an easier time complying than smaller players.
Regional and community banks "may be somewhat dependent upon third parties to make changes, before they are able to comply," Mattei said. "Larger financial institutions typically have their own internal tech stack and have more control over that environment, which makes it maybe a little bit easier for them."
Adam Perella, a manager also at Schellman, said banks also need to be "very" concerned about the compliance posture of their clients.
"By both facilitating transactions and managing the compliance of their merchants, banks must be proactive to keep their merchants compliant and cardholders' data secure," Perella said. "Acting as a resource for questions on scope or risk, banks can provide guidance based upon the payment acceptance methods and technologies deployed by merchants."
According to data from
Verizon pointed to multiple factors contributing to the shortfall, which has persisted as a major problem for years according to its ongoing reports. Some payment processors incorrectly interpret the requirements — by assuming, for example, that achieving annual compliance qualifies as regular testing. Others complete vulnerability assessments but lack understanding of how to interpret the reports.
According to the Verizon report, full compliance with the current standard (version 3.2.1) was at 43% as of 2020, up from 28% the previous year but lower than the historical high of 55% in 2016. According to Matt Crane, a senior manager also with Schellman, firms have faced challenges complying with the PCI DSS because of "scope creep," which he described as organizations integrating parts of their business into the networks that support their cardholder data management systems when they should not.
"It is often impractical to expect the same level of security controls on systems used by sales or marketing, which makes it increasingly difficult to meet PCI DSS requirements if the scope of the cardholder data environment is not locked down," Crane said. "The best course of action is often to create a separate networking environment specifically for the systems that store, process or transmit cardholder data."
Fortunately, the new requirements provide a new path forward for some payment processors who have found the approach to date to be too prescriptive. The council in charge of the PCI DSS highlighted as one of its major changes with 4.0 an increase in "flexibility for organizations using different methods to achieve security objectives" in
According to Mattei, that means rather than meeting every requirement as spelled out in the standard, the new rules provide some leeway to payment processors to comply with the intent of each requirement without meeting the letter of them.
"It is really difficult when the 'thou shalt do X' doesn't really fit the model of your particular business," Mattei said. "There are many ways to skin the cat, so if you understand what the standard is trying to achieve, you can find a way to comply based on the tools or methodologies that you have deployed already, and that makes compliance a little bit easier for everybody."