The Payment Card Industry Data Security Standard (PCI-DSS) — a standard aimed at reducing credit card fraud —has been around for nearly two decades. However, given the seismic changes in the payments, particularly digital payments, this standard is undergoing changes.
PCI-DSS is in its fourth iteration (PCI DSS 4.0), which has been in the works since 2019. While the standard is mandated by Visa and Mastercard, it is managed by the Payment Card Industry Security Standards Council. Recently, close to 3,500 card-standard stakeholders came together to discuss emerging payment security threats and best practices.
“The Global Community Forum brings together global leaders in the payments security industry to learn, share and discuss the current state and future of payment security,” said PCI SSC Executive Director Lance J. Johnson in a prepared statement. “Collaboration is a core tenet of the council. The feedback from this collaboration is what drives the changes to our standards and programs and helps us address changing technologies and emerging threats to payment data.”
In the 17 years since PCI-DSS was initially created, the payments business and payments security has undergone huge change, according to Troy Leach, senior vice president and engagement officer for the PCI Standards Council. Leach has been an employee of the council almost since the birth of the PCI standard. The PCI governing body has been keeping watch over the industry, Leach said. “When the pandemic first started, we thought all these remote activities would be temporary,” he said. “But because of the length of the pandemic, we recognize that there’s a lot more remote access.”
As a result, the group has been taking into account what security professionals and users must do more often from a remote location, and how that affects their access. And yet, beyond holding to the standards, Leach said that his group and others has a responsibility to “educate the community to do things as securely as they have done before ... without creating new security issues.”
“Remote standards have allowed so many people to have [secure access],” Leach said. However, at the same time, the PCI board like so many other financial professionals that “criminals are taking advantage” of this broader use of remote and mobile access, by FSI employees as well as customers. As a result, social engineering and phishing attacks have skyrocketed, as criminals are pursuing more “creative ways” to access accounts, Leach said.
While establishing clear and consistent standards like PCI-DSS are critical, Leach pointed out that it “always comes down to education, developing white papers ... training on working from home. People need to be able to handle sensitive information from their home.”
Even before the PCI standard came into play, Leach said that FSIs used other forms of “customized validation.” Criminals are targeting remote users more aggressively, he said. The update to the PCI-DSS standard is being brought into line with the most recent NIST standard, to support an over-arching “cybersecurity framework.”