The Council, which is responsible for overseeing the Payment Card Industry Data Security Standard (PCI DSS), announced in February that it will release version 3.2 of its guidelines at some point in March or April, adding that it will be gradually moving away from “wholesale” changes and towards “incremental modifications”.
The Impact of Major Changes Felt by Businesses in 2008
The update that had the most significant impact on businesses and the way they handled financial transactions came in 2008. In accordance with the requirement 6.6 of the PCI DSS, businesses abiding by PCI certification standards have to use web application firewalls (WAFs) to safeguard against web application attacks.
By enforcing WAF usage PCI SCC was able to better protect user data from cyberattacks that exploit code vulnerabilities (e.g., SQL injections), resulting in significantly more secure business environment.
Another example of the impact on smaller businesses trying to abide by the PCI DSS was seen last year when version 3.1 of the guidelines forced retailers to upgrade their chip and pin systems to meet the new standards.
For small businesses, this shift represented a significant investment and has prompted a number of retailers to consider Point-to-Point encryption (P2Pe) in a bid to future proof themselves against any further changes.
Indeed, with the PCI DSS seemingly moving towards further integration of this technology, it seems as though businesses are right to adopt this technology now rather than wait for a major change to be imposed upon them in the coming month.
Fortunately, as the issue of payment protection has evolved, the PCI SSC is keen to implement more gradual changes so that smaller businesses don’t get left behind. Of course, no business has a legal requirement to abide by the guidelines set out by the PCI SSC. However, with issues such as data leaks and fraud being criminal offences, it’s every business owner’s duty to ensure its payment systems are well protected.
Incremental Changes by the PCI SSC will Help Small Businesses
With this in mind, the PCI SSC appears to be content to release just one update in 2016 and focus on addressing pressing issues in the current climate rather than major issues in the payment protection industry as a whole.
This will be music to the ears of small businesses that have been struggling to bear the cost of recent changes.
From a consumer point of view, it’s unlikely this decision to take a more incremental approach to updates will have much of a noticeable impact on the way their transactions are processed. However, for the businesses they frequent it will certainly be a welcome change of policy.