Payment card industry (PCI) compliance is a set of guidelines that govern data security across a broad range of debit card, credit card and ACH payments. In order for your merchant account to remain in good standing, you must satisfy the regulations outlined by the PCI Security Standards Council.
But as with most regulatory guidelines, PCI standards evolve with time, usually to reflect changing needs or emerging security threats. The first standards were established in December 2004 (PCI 1.0), and the payment industry has benefited from two additional major updates:
- PCI 2.0 was introduced in October 2010 and comprises the official rules that all credit card processing gateways must currently follow. However, these rules will expire in December 2014.
- PCI 3.0 was released in November 2013. These newer guidelines will become official "best practices" in January 2015 before becoming mandatory in June of that year.
As a merchant, what can you expect as PCI 3.0 transitions from a set of recommended best practices to mandatory requirements?
The Key Differences between PCI 2.0 and 3.0
There are a number of important changes between the original launch of PCI 2.0 and the upcoming 3.0 guidelines. Fortunately, most of these updates are minor, requiring very few merchant-side upgrades. The biggest differences center around four main themes (summarized below):
1. Educational Awareness
PCI compliance is a critical aspect of secure payment processing. But many merchants are unaware of PCI's importance or application. The 3.0 update resolves this by helping to establish a "culture of security" through educating organizations about liability, accountability and fraud protection.
To accomplish this, the new guidelines have been streamlined and written in more accessible language to help merchants understand what PCI compliance involves.
2. "Business As Usual" Integration
3.0 includes a new set of best practices for implementation to help make PCI compliance an integral part of every business's operations. Rather than conduct annual validation exercises before upcoming security audits, companies are encouraged to weave in these best practices on a regular basis, making full compliance both seamless and painless.
3. Clearer Intent and Testing
Under PCI 2.0, businesses could get away with lackadaisical penetration testing of their data security systems and technically qualify as compliant. 3.0 adds more rigorous requirements to ensure merchants scan for vulnerabilities in a manner more consistent with the intended spirit of these mandated penetration tests.
4. Shared Responsibilities
The new update also removes much of the confusion over who is ultimately responsible for payment fraud prevention. PCI 3.0 makes it clear that all stakeholders within the payment supply chain must take proactive steps to protect credit card information from hackers and thieves. Whether as a merchant, service provider or card issuer, it is no longer possible to outsource accountability (the one exception is for merchants who use hosted payment forms to reduce their PCI scope).
Is Your Business Ready for the PCI 3.0 Update?
Worried that you might not qualify for the upcoming 3.0 changes in PCI compliance? Or perhaps your current payment infrastructure still lags behind the 2.0 rules?
Let us help you update your payment processing to ensure that it satisfies all legacy and upcoming PCI-compliant rules. You can either schedule a free appointment with our payment support team or use the links below: