Hackers are getting better at hacking—which means the Payment Card Industry Security Standards Council must get better at coming up with new strategies to protect cardholder data.
The PCI Council, in case you were wondering, is the group responsible for creating and maintaining the PCI Data Security Standard, or PCI DSS.
This is what we mean when we talk about PCI compliance.
PCI-DSS regulations are updated continually to ensure online payment transactions are as secure as possible.
And, if your business fails to comply with those regulations, you could be looking at steep fines or worse; non-compliance may result in losing your ability to accept credit card payments altogether.
So, let’s talk about those recent changes.
The new PCI compliance rules (dubbed PCI DSS 3.2) went into effect on June 30, 2018, and impact all merchants that accept credit payments at a physical terminal, through a point of sale (POS) system, or in an online store.
One of the biggest requirements is that businesses must upgrade to TLS 1.2 encryption or higher to remain compliant with PCI Council standards.
TLS stands for transport layer security and has all but replaced SSL (secure sockets layer) as a means of ensuring that information shared over the internet remains secure.
This also involves disabling any fallback to SSL.
Why? Because a browser connecting to a website will automatically “fall back” and try again with a lower-security encryption protocol if the first higher-security encryption protocol fails.
One thing to note here: The PCI Council points out that, “POS POI terminals that are verified as not being susceptible to any known exploits, and the service provider termination points to which they connect, may continue using SSL/early TLS as a security control.”
What other changes should merchants be aware of?
In addition to the mandatory encryption protocol upgrade, PCI DSS 3.2 also features expanded requirements for multi-factor authentication when accessing cardholder data.
Merchants—as well as the service providers that transmit, process and store cardholder data—must also be able to verify and document that all changes have been made and that their systems and networks are up to date with current compliance rules.
Bottom line: you can’t afford to be lax about compliance.
PCI compliance may be the last thing on your mind right now, but if you haven’t yet implemented these changes or checked with your service provider to make sure you’re compliant, it could cost you big time.
At the end of the day, the new rules are there to protect merchants as well as cardholders, so maintaining compliance is definitely in your best interest as a business owner.
If you have questions about whether your business is PCI compliant, first take a look at our top four pro compliance tips.
Next, call MyWatchmen at 1-888-256-2845 or set up a time to meet with us.
As one of the leading providers of end-to-end merchant protection and optimization solutions, we take the time to answer all of your questions about PCI compliance and can perform a thorough assessment of your current security standards to ensure your business is up to date with the latest PCI DSS requirements.