Merchant Risk Council (MRC), a global non-profit membership association for payments and fraud prevention professionals, held their MRC Webinar Wednesday series featuring panel session Are You Managing PCI Compliance in the Best Way?
Panel speakers included MRC member Bluefin, featuring Bluefin’s CISO Brent Johnson and Bryan Bell, Principal Consultant at Foregenix. With 25 years of PCI DSS experience between them, the expert panelists sat down to discuss the technologies organizations need for a secure payment environment and the implications that come with reducing risk and PCI compliance burdens.
Key Solutions for PCI Compliance
Bell explains that one question organizations often ask is, “What is the one thing I can do to reduce risk and reduce our compliance burden?” Although a “holy grail” solution does not exist, Bell states that a great first step organizations should take is to deploy a PCI- validated point-to-point encryption (P2PE) solution.
“With P2PE, as card data traverses the network, the merchant environment, or even if it traverses through a secondary solution provider, there is no reasonable means of attacking that data, decrypting, or compromising it. For that reason, you get two big benefits with P2PE. The first is risk reduction, as the data is not easily compromised. And secondly, because of the security of P2PE, the Payment Card Industry Security Standards Council (PCI SSC) has afforded significant scope reduction (taking the SAQ from 329 to 33 questions) for merchants in terms of how they are processing P2PE transactions,” says Bell.
As organizations realize the importance of P2PE, both panel members stress the importance of a multi-layered approach to data security. Keeping up with PCI controls, continuing basic security practices, and protecting data in transit (with P2PE) as well as data in storage (with tokenization) – are all important steps to ensure a secure data environment.
PCI Compliance – Past Mistakes and Future Changes
Throughout the years, both panelists have seen some common mistakes organizations make surrounding PCI compliance. Missed cardholder data flow, for example, can be a “showstopper” for companies and can create a non-compliant environment. Cardholder data that exists in network environments, business units, and applications can easily be missed, especially for companies going through acquisitions. Keeping merging organizations segmented until PCI compliance is validated is crucial.
Identifying cardholder data flow has always been a PCI compliance requirement, but within the upcoming PCI DSS 4.0 version, a specific control with formal documentation and process is now in place.
Johnson and Bell discussed the additional changes with the upcoming PCI DSS 4.0 guideline, highlighting:
- Customized Approach vs. Defined Approach
- Customized Approach vs Compensating Control
- Targeted Risk Assessment
- Authenticated Scanning
MRC members can view the entire webinar here.
For more information PCI DSS v4.0, the PCI DSS Resource Hub provides links to both standard documents and educational resources.
Bluefin is an MRC member and the first U.S. PCI-validated provider of a P2PE solution.