What you need to know about the PCI DSS

Credit card fraud became rampant at the advent of online shopping, prompting five major credit card brands (VISA, MasterCard, Discover, American Express and JCB) to come together to develop a security standard for protecting credit card data. In 2004, version 1.0 of the PCI Data Security Standard was published. It has evolved over the years, with the last major revision to 4.0 in 2022.

In the first three iterations, the PCI DSS focused primarily on technical implementations and security awareness training for employees. In 4.0, however, the emphasis shifted strongly to governance. The PCI Standards Council recognized that technical security is not enough to provide a truly secure environment.

For example, in v3.2.1 the first requirement was

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

In v4.0, the first requirement became:

1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.

This is an especially important change for small retailers, as it has become common practice for SMBs to rely on their Managed Service Providers (MSPs) to maintain their PCI DSS compliance. MSPs, however, typically do not offer, or have within their expertise, governance and risk management services.

That's where the experts at TNE excel, with 20+ years of experience in GRC (Governance, Risk Management and Compliance.) True security requires written policies and procedures and employee training, which will in turn produce repeatable processes.

Strong governance is not just a compliance issue, it will build resilience in your organization and provide a strong foundation for future growth.

Whether you are starting from scratch, or working on maturing your processes, TNE is here to help.