With cyber threats increasingly sophisticated and prevalent, it is essential that organisations handling card payments stay one step ahead of cyber threats. The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules and guidelines designed to help you handle credit card information securely, with the aim to mitigate fraud and protect sensitive payment data.
The need for such a regulation is underscored by the 2024 UK Finance Annual Fraud Report1, which revealed that online card fraud alone cost businesses £260 million in the previous year, with total fraud across all payment types exceeding half a billion pounds.
The security controls in PCI DSS are designed to directly address various causes of fraud, from hacking and phishing attacks to the deployment of skimmers in ATMs. As of 1 April 2024, a significant new revision—version 4.0—has become active, introducing a host of new requirements to counter evolving cyber threats.
Achieving and maintaining PCI DSS compliance, however, is an ongoing challenge. Cyber criminals continually refine their tactics, necessitating regular updates to security standards. PCI DSS version 4.0 reflects this need for evolution, introducing new and enhanced requirements to address contemporary cyber threats.
The Prizes of PCI DSS Compliance
In case you’re wondering why it’s important to comply with the new revision, it does have significant advantages. The benefits of PCI DSS compliance are two-fold:
- Minimised risk of breaches: Adhering to PCI DSS significantly reduces your risk of being hacked. By implementing stringent security measures, you can protect sensitive payment data against common attack vectors
- Avoidance of penalties: Even if a breach occurs, if you have fully complied with PCI DSS, you are protected from penalties. Compliance demonstrates that you have taken all necessary precautions to safeguard cardholder data
The Pitfalls of PCI DSS Version 4.0
Despite its benefits, complying with PCI DSS—especially the latest version—poses significant challenges. The requirements, even in their simplified forms such as the Self-Assessment Questionnaires (SAQs) for merchants, demand a certain level of expertise in cyber and information security. Our observations since the activation of version 4.0 reveal that many organisations struggle with the new demands, primarily due to insufficient skills and budgets.
Key areas where businesses are facing difficulties include:
- Tracking and fixing code vulnerabilities: Managing vulnerabilities in third-party libraries can be complex and time-consuming
- Identifying scripts on payment pages: Particularly challenging when using content management systems, this task requires thorough oversight to ensure all JavaScript is accounted for
- Deploying website tamper detection tools: Implementing these tools is critical for early detection of unauthorised changes but can be technically demanding
- Setting strong password policies: Ensuring robust password policies for personnel and system accounts is fundamental but often overlooked
- Regular review of access controls: Regularly reviewing and updating access permissions for both personnel and system accounts is necessary to maintain security
How our Cyber Security Consultants Can Help
Our cyber security consultants are Qualified Security Assessors (QSAs), offering specialised support to organisations aiming to comply with or upgrade to the latest PCI DSS standards. Our team can provide the necessary expertise and resources to help you overcome the pitfalls of compliance and secure your payment systems effectively.
How We Work
Our aim is to support you in achieving PCI DSS compliance and effective cyber security. Here are a few of the ways we do this:
- Provide expert, vendor independent, technical and security advice
- Always seek ways to reduce the scope of compliance to minimise costs and impact
- Offer solutions to complex problems, such as legacy systems
- Advise on the development of policies, procedures and standards
- Analyse complicated and varied payment systems, to identify where PCI DSS does and doesn’t apply
- Aid in completing self-assessment questionnaires (SAQ)
- Conduct full assessments for organisations and service providers
As with all solutions, they will be applied specifically to your organisation and as such, we take a tailored approach to ensure you are achieving compliance and meeting your security obligations.
[1] https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2023