O
PCI Council
recently launched version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS). This new version introduces a number of changes that companies need to be aware of.
In this article, we’ll discuss a little more about the background to PCI DSS, as well as the main changes in the new version and how companies can prepare for them.
What PCI DSS is and why you need to comply with it
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules designed to protect cardholder data.
Any organization that accepts, processes or stores credit or debit card information must comply with the PCI standard.
Non-compliance can result in significant fines from the card brands, as well as an increased risk of data breaches.
PCI DSS includes requirements to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures and regular monitoring and testing of systems.
Requirements that guarantee the security of financial transactions
Basically, there are 12 requirements that cover everything from how data is encrypted to how physical security is maintained. Meeting these requirements can be a challenge, but it is essential for any company that wants to protect its customers’ information.
In addition, many companies are demanding that their suppliers are also PCI compliant. So if you want to do business with them, you’ll need to make sure you agree with the PCI DSS standards.
By following these best practices, organizations can help protect themselves against data theft and fraud.
What are the main changes in PCI DSS 4.0?
One of the most important changes in PCI DSS 4.0 is the requirement for multi-factor authentication (MFA) for all access to cardholder data.
MFA adds an extra layer of security by requiring users to provide two or more pieces of information before being granted access.
This can include something the user knows, such as a password, something the user owns, such as a digital token, or something the consumer is, such as a fingerprint.
By requiring several factors, it becomes much more difficult for unauthorized individuals to gain access to confidential data.
Another significant change in PCI DSS 4.0 is the introduction of requirements for software-based PIN entry on COTS devices.
This means that merchants need to ensure that their point-of-sale (POS) terminals are able to accept PINs entered via software, such as a smartphone app.
Changes that will help reduce fraud by making it harder for cybercriminals to steal and use customer data as it is entered
Other changes include the addition of new requirements for protection against malware and vulnerabilities, as well as stricter requirements for incident response and password management.
Overall, the revised PCI DSS provides stronger protections for cardholder data and helps ensure that organizations are better prepared to respond to security incidents.
Finally, the PCI standard update includes new requirements for incident response plans. In particular, organizations will need to have procedures in place to quickly identify and contain data breaches.
This can include isolating affected systems, notifying law enforcement authorities and actively monitoring systems for unauthorized access.
Important feature for PCI DSS 4.0 certification: payShield 10K guarantees payment security
The fifth generation of payment HSMs from Thales, an EVAL partner company, offers a suite of proven security features in critical environments, in addition to transaction processing, protection of sensitive data, payment credential issuance, mobile card acceptance, and tokenization.
payShield 10K can be used throughout the global ecosystem by issuers, service providers, acquirers, processors and payment networks, offering a number of benefits for companies, demonstrating Thales’ commitment to the continuous improvement of its products.
High performance cryptographic support
Today, card payments and online digital payments are growing year by year, requiring you to constantly monitor and upgrade your processing bandwidth.
payShield 10K offers significantly higher RSA and 3DES performance than its predecessors, which can reduce the number of devices in the previous version and lower your costs.
This faster cryptographic engine also provides more consistent and predictable performance across all host commands, even in heavy load situations and when TLS-based secure communications are in use.
In addition, to support new payment methods, payShield 10K is able to leverage very fast hardware-based ECC processing in addition to the legacy 3DES, AES, and RSA algorithms.
Many of the emerging payment credential issuance use cases use ECC instead of RSA, especially when the payment instrument is a mobile, IoT or connected device.
payShield 10K is ready for enhancement to support a much wider range of cryptographic algorithms and mechanisms as they become formalized as part of the growing range of payment security specifications.
In practice, payShield 10K offers the following benefits for companies seeking PCI DSS 4.0 certification:
- Simplifies deployment in data centers;
- It offers high resiliency and availability;
- It provides the broadest card and mobile application support in a timely manner;
- Supports performance upgrades without hardware change;
- Maintains compatibility with all legacy Thales payment HSMs.
As the payments world increasingly looks for new deployment models involving a mix of private and public clouds, payShield 10K is specifically designed to offer secure remote management and monitoring, providing a true ‘contactless’ experience.
This provides support for various types of payment service offerings and more capabilities to perform functions securely across a wide range of operating environments.
With its enhanced features, payShield 10K is well suited to handle the ever-changing landscape of payment security.
With payShield 10K you are assured that your company meets the highest security standards in the financial industry.
EVAL Professional Services has a team of specialized professionals with the best practices in the market
Benefit from our years of experience and expertise in information security and LGPD compliance. We will be your partner for realizing digitization projects in compliance with security and data protection regulations.
We share our expertise across all business flows in healthcare organizations to help you minimize risk, maximize performance, and ensure the data protection your patients and partners expect.
About EVAL
With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval safety is value.
