Every organization that captures, processes, stores, transmits, or affects credit card data is expected to comply with the security guidelines established by the Payment Card Industry (PCI).
These data security rules apply to multinationals, small shops and nonprofits alike. Failure to become PCI-compliant can lead to hefty fines for that organization.
Equally important, these guidelines continue to evolve over time as criminals develop newer and smarter data breaching techniques. As such, merchants must continuously update their security protocols to remain in good standing with the latest best practices.
Below are just some of the biggest PCI changes for 2019 and beyond.
1. Phone-Based CNP Transactions
Sending and receiving payment data always carries certain risks. However, for card-not-present (CNP) transactions, the potential threat of fraud or abuse is much higher since it’s not possible to easily verify the authenticity of the cardholder.
This danger has become especially pronounced in the wake of EMV credit cards. Thanks to their embedded security chips, EMV cards provide unrivaled protection when making in-person purchases. This has incentivized criminals to move their activity online or to mail- and phone-based operations.
If you run an e-commerce store, security features such as fraud management filters can help reduce the severity and frequency of credit card abuse. The PCI security protocols for phone-based credit card processing haven’t been updated since 2011. Not surprisingly, fraud in this arena has increased substantially over the past several years.
This is why the Payment Card Industry introduced a new set of guidelines in November 2018. These updates help to address the rapidly changing landscape as technologies such as voice over Internet protocol (VoIP), cloud infrastructure and interactive voice response (IVR) become more permanent fixtures of the telecommunications industry.
The exact list of changes is vast — spanning 70 pages, but the broad strokes fit into three main categories:
- People: Phone-based merchants and call centers can reduce fraud by creating a culture of security with clearly defined roles and access rights. In other words, credit card data should only be shared on a need-to-know basis to limit potential breaches.
- Processes: Organizations can further reduce fraud by developing more tightly controlled systems and environments. For example, call center operators may be asked to temporarily store their mobile devices to minimize the possibility of recording sensitive information while on customer calls.
- Technology: Phone-based environments should leverage security protocols such as multi-factor authentication, keyboard logging devices and antivirus software to reduce the likelihood of data breaches. These technologies have already proven very successful in the wider IT world. With the new PCI updates, they’re now being leveraged for CNP transactions over the phone.
2. CNP Authentication and Validation
Like the Payment Card Industry, EMVCo is a standards body that exists to help safeguard payment data from fraudulent abuse. It recently introduced version 2.2 of its 3-D Secure Standard — a new protocol that allows merchants to authenticate CNP transactions for phone-based orders.
More specifically, version 2.2 introduces the ability to independently initiate and verify credit card transactions, even if the cardholder isn’t online at the time of the sale.
Although using this new standard is not an official requirement for PCI compliance, it can help decrease fraud and reduce your PCI scope significantly.
3. New PCI Framework for Software Vendors
The Payment Card Industry has also updated its Secure Software Standard and Secure Software Lifecycle Standard for software vendors and those who develop payment-dependent applications.
Although still under development, this new PCI Software Security Framework will replace the older Payment Application Data Security Standard by introducing more validation requirements for both software developers and security assessors (i.e., those who vet programs for PCI compliance).
As a merchant, these software security rules probably won’t affect you directly. Though when shopping for applications and platforms, you’ll only want to consider those tools that comply with the latest standards.
Have Questions About These PCI Compliance Changes?
Navigating the data security landscape can be intimidating — especially if you have limited resources and technical knowhow — but at BluePay, we’re here to help.
If you have questions about becoming or remaining PCI-compliant, schedule a free consultation with our merchant services team today.