{"id":11369,"date":"2022-12-07T11:49:00","date_gmt":"2022-12-07T11:49:00","guid":{"rendered":"https:\/\/contentsecurity.com.au\/?p=11369"},"modified":"2023-01-18T12:06:09","modified_gmt":"2023-01-18T12:06:09","slug":"why-your-business-must-meet-these-new-standards-for-accepting-credit-card-payments","status":"publish","type":"post","link":"https:\/\/contentsecurity.com.au\/why-your-business-must-meet-these-new-standards-for-accepting-credit-card-payments\/","title":{"rendered":"Why your business must meet these new standards for accepting credit card payments"},"content":{"rendered":"\t\t
Does your business accept credit card payments?<\/em><\/strong> If so, you must move to comply with the latest version 4.0 (V4.0) of the PCI DSS standard by 31 March 2025. The current compliance version is V3.2.1<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The PCI Security Standards Council<\/a> sets the Payment Card Industry Data Security Standard \u2013 or PCI DSS for short. That standard aims to ensure safe payment processing worldwide. The council issued the latest version, V4.0, in March 2022 and there is a two-year grandfathering overlap from the current version (V3.2.1) through to March 2024, but some of the Version 4.0<\/em> changes are initially recommendations that do not become mandatory until March 2025.<\/em><\/p> The PCI DSS standard is an industry standard and not <\/em>part of any country\u2019s laws, including Australia.<\/p> However, complying with the standard is a contractual requirement<\/em> for businesses and organisations as part of their merchant agreement with their acquiring bank. This involves activities that store, process and\/or transmit the cardholder data of Mastercard, Visa or AMEX credit card holders, plus any activities that may impact the security of that cardholder data such as third-party service providers.<\/p> The PCI DSS standard covers 12 domains of security controls depending on which compliance level category a retailer or e-commerce business fits into. The PCI DSS is issued by the PCI Council on behalf of the major card brands.<\/p> You can read the details in this 36-page guide<\/a> <\/strong>from the PCI Security Standards Council. It also summarises the new requirements. Some changes are significant, others are minor. V4.0 emphasises controls to deflect cyber attacks that involve phishing and social engineering.<\/p> Some changes need to be enacted immediately upon cyber security assessment. But you won\u2019t need to comply with the bulk of the new requirements until March 2025.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The standard has four compliance levels:<\/p> Level 1: <\/strong>Merchants who process more than six million Mastercard or six million VISA card transactions each year.<\/p> Level 2: <\/strong>Merchants processing between one million and six million Mastercard or one to six million VISA card transactions annually.<\/p> Level 3: <\/strong>Merchants who process 20,000 to one million Mastercard or 20,000 to one million VISA transactions annually.<\/p> Level 4: <\/strong>Merchants processing under 20,000 Mastercard or 20,000 VISA transactions each year.<\/p> Businesses that have recently suffered a cyber-attack or are deemed an information security risk could<\/em> be escalated to a higher level.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t You might think your business is too small to be caught in the PCI DSS compliance net.<\/p> However, your merchant agreement with your bank, or financial institution, may spell out your need to follow the standard. For most businesses, they\u2019ll expect you to send them an annual return to verify your compliance.<\/p> If you don\u2019t comply, they could withdraw that payment processing service, which would be a major inconvenience for your customers and clients.<\/p> Your bank or financial institution could also levy fines on you on behalf of the card providers.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t March 2025 may seem like a long way away, but it takes time and diligence to be able to tick all the boxes to reach that compliance deadline.<\/p> Larger businesses must organise a certified cyber security firm to conduct a PCI DSS compliance audit.<\/p> Level 2<\/strong> businesses that process between one and six million payments a year undertake an annual PCI self-assessment.<\/p> Meanwhile, Level 3<\/strong> businesses (20,000 to one million transactions per card brand annually), should do the same assessment and have a qualified scanning vendor do a quarterly scan.<\/p> If you\u2019re a Level 4 <\/strong>business, processing under 20,000 payments annually per card brand, you still must be PCI compliant.<\/p> Whichever level your business meets, risk management<\/a><\/strong> should be a continuous activity.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t Be sure to look at the latest Self-Assessment<\/a><\/strong> Questionnaire A and Attestation of Compliance, issued in April 2022. The PCI Security Standards Council has set up this helpful resources hub<\/a><\/strong>, to answer any of your questions.<\/p> It\u2019s not just \u2018set and forget\u2019 once you\u2019ve achieved the standard though. While it can be challenging to remain compliant, this is less so than businesses starting from scratch to meet the standards. Remember, as part of your ongoing merchant agreement with a financial institution, you\u2019ll need to pass an assessment annually.<\/p> Small and medium-sized enterprises often need help understanding the scope of compliance. That is, how their computing network infrastructure is set up and how their payment processes work. They also might not realise the need for:<\/p> So, if you fail to meet those ongoing requirements, your business won\u2019t pass the annual assessment.<\/p> Once you\u2019ve completed your self-assessment, you\u2019ll need to complete a PCI compliance scan. Those results go to your merchant bank, which then sends them to the payment card industry.<\/p> You might be tempted to delegate PCI DSS compliance to your IT team, but it should involve many more parts of your business, including finance, risk management, and legal. It\u2019s recommended you bring in outside expertise to guide you through the process.<\/p> Compliance with the PCI DSS is essential for business because it highlights continuous improvement and enhances validation methods for payments.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The Essential 8 dovetail into each other to help create a virtual mesh to protect your business against cyber threats. Do a deep dive into each of the <\/span>Essential 8 here<\/span><\/a> \u2013 there\u2019s quite a lot to them. And, ACSC\u2019s <\/span>Ransomware Action Checklist<\/span><\/a> is handy to have as part of your arsenal.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\tWhat is the PCI DSS?<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Does the credit card payments standard apply to your business?\u00a0<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
What\u2019s the risk of PCI DSS non-compliance?<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
How to meet the standards<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
How to do a PCI DSS assessment<\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\u00a0<\/h6>
For more information please contact our cybersecurity professionals today. <\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t
Call 1300 659 964<\/h3><\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t\t
Send us a message<\/h3><\/span>\n\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ul>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
Recent news<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t