April 20, 2021

MFA Expert Answers Your Top 5 PCI Compliance Questions

1. What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) lays out how actions need to be tied to specific users and be trackable—or logged—in order to protect cardholder data through secure authentication. 

2. What types of companies need to be PCI compliant?

Companies that manage card data to any extent (processing, handling, storing) are required to be PCI DSS compliant. Cardholder data (CHD) is incredibly sensitive data, sought after by scam artists and other types of threat actors alike to make easy profit. A breach of cardholder data is devastating to both the cardholder, who can become a victim of theft, and the enterprise itself, as it destroys public trust in security practices. 

Compliance with PCI DSS reduces the chance of breach by adhering to a standardized security measure for managing cardholder data and cardholder data environments (CDE). 

3. What is required to be PCI DSS compliant?

Currently, PCI DSS includes the following rules: 

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

PCI DSS is also updated semi-regularly. PCI DSS is currently at version 3.21, and we anticipate PCI DSS 4.0 this year. The latest standards to be PCI DSS compliant are available here.

4. What are the consequences if a company is not PCI compliant?

Failing to be PCI compliant puts the enterprise at increased risk of breach. Should a breach occur while not being PCI DSS complaint, the enterprise is subject to fines ranging between $5,000 to $500,000, as well as having merchant accounts revoked. These consequences are on top of the cost of damages and losing a customer base due to decreased trust.

5. How does continuous authentication help with PCI compliance?

While the current PCI DSS standards reduce the risk of breach, they are more of a baseline standard than a finish line. As an example, PCI DSS 3.2.1 currently says a password must have a minimum of 7 characters and use an alpha-numeric character. So, “password1” is permitted as a password, even though this is obviously a very weak password. 

Acceptto’s approach advances ahead of PCI DSS as a baseline standard to actually provide ongoing continuous awareness of data access. This offers many additional security, functionality and usability benefits, some of which meet additional requirements, and many that are not even part of a standard. A few key things Acceptto’s authentication approach supplies from a technical, security or compliance perspective:

  • With no passwords, attackers have reduced options to attack an organization’s environment.
  • With continuous monitoring of identity in real-time and behavioral AI, threats can be reviewed and actions can be taken at run-time to prevent the threat from becoming a breach.
  • The ability to use risk to define policy orchestration creates a dynamic approach to authentication and enables continuous automated enforcement.

From a business perspective, here are a few considerations:

  • The best user experience imaginable: With no passwords, and behavioral AI/ML, users will authenticate effortlessly. Not only do users get to focus on real work and save time, it’s actually more secure.
  • Reduced operational costs. Removing the need to do password resets reduces help desk costs significantly, resulting in a net savings for the enterprise.
  • Out of the box effortless implementation, customization and integration to existing authentication systems. Acceptto can work with whatever you have in place, and take it to a new level, or it can be leveraged to replace aging technology.

PCI DSS is one of many security standards that make the digital landscape safer to navigate for both consumers and enterprise. Acceptto’s solution is compliant with PCI DSS and others, going above and beyond minimal requirements by delivering risk-based continuous behavioral authentication across all platforms. 

Download the Authentication and PCI DSS paper here

For more information, reach out to our Sales team here

By Alan Krassowski, Vice President of Technology  



PCI compliance passwordless continuous authentication DSS