One New Year’s resolution that every retailer needs to add to their list as we kick off 2019 is to reevaluate their compliance strategy in light of the recent PCI DSS supplements.
PCI DSS Compliance
We recently blogged about “Multi-Factor Authentication And PCI Compliance” some thoughts on PCI DSS 3.2.1, but there a few other things you should be aware of with respect to this very important regulation. Specifically, the key changes introduced include:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.
It should also be noted that PCI DSS compliance is not a “nice to have” for any retailer looking to execute credit card transactions, it is a “need to have”. According to a recent SecurityWeek article titled “What You Need to Know About PCI DSS Compliance this Holiday Season”:
“All major credit card companies – Visa, MasterCard, American Express, Discover and JCB – abide by a set of security standards to ensure protection of sensitive customer information, such as credit card numbers, during transactions. Any business that wants to conduct even a single retail transaction using credit cards must comply with PCI DSS or it will be unable to accept payments by credit card. If a company is just starting to accept credit card transactions – perhaps as an online retailer or a smaller business – then the first thing to understand is how payments are being processed and what data is being collected and stored. Once the type of data being collected is understood, then it is easier to identify what information is needed and what is not. This is a critical first step to understanding which requirements apply to a specific company.”
The article further points out that:
“As with many other compliance regulations, PCI DSS places the responsibility for compliance on the business conducting the transactions; meaning the retailer is responsible for both the compliance of its third-party payment service providers and internally-hosted systems.”
Satisfying Credential Authentication Compliance
The PCI Security Council has identified a three-step process for the best way to maximize the security of cardholder data. They recommend to continuously monitor and enforce the use of controls specified in the PCI Data Security Standard and suggest you approach this as a process and not a one-time (or even just annual) project. The continuous process recommended is:
- Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Ultimately, the council will not enforce a specific company’s compliance; however, individual payment brands or acquiring banks will take this very seriously and potentially revoke your ability to execute credit card transactions. For some organizations this can cost $thousands to $millions. This means that you will need an immutable way to identify the credentials of credit card administrators and even your online retail customers.
Cognitive Authentication Exceeds Requirements
Acceptto is built on the premise that your credentials today, and those that you’ve yet to create, have already been compromised. Your identity cannot simply be based on a password or a one-time token or only your biometrics. Your immutable identity is a combination of your physical behaviors, attributes and Digital DNA. We believe that what you need is a way to immutably authenticate someone in order to be truly secure and compliant.
We call it Cognitive Authentication. You can eliminate preventable harm with our Biobehavioral AIML technology that enables frictionless authentication, prevents credentials stuffing instantaneously, ensures your true immutable identity continuously, and dramatically reduces risk, likelihood of fraud and cost of helpdesk operations without the guesswork or latency.
Acceptto is a transformative multi-factor authentication technology that delivers continuous identity protection and peace of mind in an age where passwords are ineffective and identity authentication is mission critical.
See for yourself what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy, especially for your PCI compliance requirements. Register for a free trial today.