Companies that process credit and debit cards for purchases of goods and services may decide there is value in storing those card details per customer for future purchases and history. That decision should not come lightly as it requires your organization to comply with the Payment Card Industry Data Security Standard or PCI-DSS. The standard has evolved since we first wrote about it in Implementing Secure Automated Payment Processing, now reaching version 3.2, which went into effect on Nov 1, 2016. Here are some of the latest highlights for consideration.
Check Your Volume
Organizations that handle ANY volume of card transactions now must send self-assessments to their acquiring banks. This is a significant change, as previously only merchants processing large volumes were subject to the strict requirements. Previously, smaller merchants – defined as processing 20,000 or fewer ecommerce transactions or 1 million total transactions – were exempt from this. The self-assessment can institute a considerable burden on IT departments that are already stretched.
Not Just for Retailers
Remember that these standards are not just for retailers taking cards to sell goods online and/or in-store. Rather, any business taking credit or debit card payments for subscription payments or to settle invoices may be subject to these standards. The risk is that your acquiring bank may require the self-assessment mentioned above to continue funding those transactions.
Multi-Factor Authentication
While multi-factor authentication is not a new requirement, it previously stated that organizations needed to implement “two-factor authentication.” Notable is the shift from using the term “two-factor authentication” to “multi-factor authentication.” The guidance explains that while two-factor authentication is considered a type of multi-factor authentication, the standard in Version 3.2 requires a company must use a minimum of two credentials. Additionally, the standard explains that organizations must use “two separate forms of authentication,” meaning that using a single authentication method twice (e.g., using two separate passwords) would not qualify as “multi-factor authentication” under PCI-DSS.
Now you can see why so many businesses simply choose to outsource their card processing rather play catch up to this rightfully rigid standard.
With questions about PCI-DSS, please contact Superior Technology Solutions. We look forward to sharing our extensive technology background with your organization. For more information, contact Superior Technology Solutions online at www.superiortechnology.com or via phone at (845) 735-3555.
Comments are closed.