How new PCI Standards will change online security for retailers?
In order to comply with future-dated PCI-DSS compliance requirements, merchants must implement a series of new security measures. The new requirements come into effect now, March 2025, and will help to protect consumers and retailers against online fraud.
As e-commerce has grown, so too has the number of bad actors looking to exploit security weaknesses to steal credit card data, also known as e-skimming.
Future-dated requirements that come into effect in March 2025 will help to protect consumers and retailers alike, but online merchants must implement a series of new security measures to ensure compliance.
Each year, thousands of card details are stolen in online card transactions - even on well-known and big-brand websites. Hackers are becoming increasingly sneaky, so even if a merchant's card capture form is secure, they can exploit security weaknesses elsewhere on a website and intercept sensitive data before it even reaches the merchant's secure payment form.
That's why the new PCI DSS 4.0.1 safety standards require retailers to secure their entire website. Reputable payment platforms meet the highest standards of payment security, which reduces the scope of compliance efforts for retailers.
However, there are still a few steps merchants need to take to ensure that their site is fully compliant.
PCI what?
Payment Card Industry Data Standards (PCI DSS) refers to a set of standards that retailers must comply with - no matter their size. The standards are updated from time to time, and the latest version, PCI DSS 4.0.1, has some future-dated requirements that come into effect at the end of March 2025.
PCI DSS 4.0.1 enforces stricter security measures for the entire site to prevent attacks like e-skimming and to ensure secure payment processing.
It is designed to enhance the security of cardholder data by adopting a comprehensive approach to security measures and access controls.
This means that merchants are responsible for securing every part of the payment flow, ensuring that both the payment form and the hosting web environment are protected.
PCI DSS 4.0.1 has stronger password and multi-factor authentication requirements. It also has improved security practices, with updates for e-commerce security and third party risk management.
It is more flexible, with more customised approaches to compliance, and comes with improved guidance and examples.
What does this mean for retailers?
The new requirements oblige merchants to take a more active role in securing payment pages, and proactively monitoring for signs of compromise. In particular, there are two requirements which merchants need to act on before the end of March 2025.
Firstly, merchants have to keep track of all their (software) scripts, even those from third parties. All scripts have to be authorised and merchants need to ensure that they haven't been tampered with. Testing for unauthorised scripts is mandatory.
This is essential because attackers can compromise third-party scripts to steal card data directly from customers' browsers.
Secondly, merchants need to monitor payment pages for unexpected changes to things like code or even the way the page is displayed in the browser. Merchants need to set up alerts to notify them of suspicious activity to detect and respond to attacks more quickly.
This is important because attackers are able to modify web pages to redirect customers to fake sites, or to steal their data.
PCI requirements become more rigorous depending on a merchant's transaction volumes, with levels broken down as follows:
- Level 1: Over 6 million transactions per year
- Level 2: 1-6 million transactions per year
- Level 3: 20,000-1 million transactions per year
- Level 4: Fewer than 20,000 transactions per year
Next steps for retailers
Think of your website security the same way you would your home security. Each time you leave your house, you lock the doors and close the windows, and probably set an alarm system.
Ensuring your website is PCI DSS 4.0.1 compliant essentially locks the doors and windows on your website, and guards against e-skimming. It's imperative that you comply to protect your customers and your business.
Some helpful next steps:
- Determine your compliance level: Your PCI DSS scope (the extent to which you need to comply with the standard) is determined by how you handle cardholder data.
- Understand the requirements by reviewing the PCI DSS v 4.0.1 (Available for download through the PCI Security Standards Council.)
- Assess your current security level by identifying gaps and areas for improvement
- Implement necessary security controls based on your chosen integration method.
- Document your compliance efforts, which requires you to maintain records of policies, procedures, and assessments.
- Regularly monitor and maintain compliance
For some retailers, this may all seem quite foreign. The first step is to speak to your webmaster about what needs to be done.
All rights reserved. © 2022. Bizcommunity.com Provided by SyndiGate Media Inc. (Syndigate.info).
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Gulf Today
19-05-2025
- Gulf Today
Future mass transit ticketing to be AI-based and passenger-centered
As urban areas evolve into smarter ecosystems, the mass transit sector is experiencing a significant digital transformation, particularly in ticketing processes. Traditional cash and card models are giving way to fast, secure, and seamless digital systems. Artificial intelligence (AI) is expected to play a crucial role in optimising transit operations by analysing ridership data to enhance route planning and implement equitable pricing models. This data-driven approach aims to create smarter cities that benefit all community members. Fernando Herkenhoff, Regional Sales Manager for Mass Transit at HID, shares insights from the newly released State of Mass Transit Ticketing Hardware Report 2025, a collaborative study between HID and Global Mass Transit, based on feedback from over 100 transit agencies worldwide. Insights reveal that while many transit agencies are satisfied with their current systems, nearly half are planning upgrades or exploring new fare collection hardware by 2030. A notable trend is the shift towards open-loop EMV contactless systems, with 43% of agencies planning deployments within five years. Regional variations in adoption highlight the differences between North America and Europe; 87% of North American agencies still rely on traditional fareboxes, while 86% of European providers have embraced app-based mobile ticketing. Globally, 58% of agencies are incorporating mobile ticketing into their operations. The focus is on modernisation and usability, with 66% of agencies prioritising user-friendly interfaces. Open-loop contactless systems not only enhance convenience but also offer significant cost savings by reducing cash handling expenses and improving security through adherence to EMV and PCI standards. HID envisions integrating various ticketing technologies to streamline fare validation, thus improving passenger experiences and operational efficiency while potentially reducing emissions from idling vehicles. As the landscape of ticketing technology evolves, selecting the right partner becomes increasingly important for transit agencies. Herkenhoff emphasises the need for open-source and scalable systems that accommodate various fare types while minimizing long-term costs. HID aims to lead this transformation by expanding its portfolio of interoperable solutions over the next five years, focusing on advanced validators, enhanced mobile features, and AI analytics. In conclusion, the future of mass transit ticketing is poised to be open, digital, and centered around passenger needs. With innovators like HID at the forefront, the journey ahead promises to be both seamless and intelligent.
Zawya
14-05-2025
- Zawya
HSBC Hong Kong signs MoUs to support Chinese companies expanding into Middle East markets
The Hongkong and Shanghai Banking Corporation Limited, through its Hong Kong Office ('HSBC Hong Kong') has announced the signing of Memorandums of Understanding ('MoUs') with leading Chinese companies - PCI Technology Group Co., Ltd ('PCI') and Meetsocial Co., Ltd ('Meetsocial Group'). These agreements aim to support both companies in expanding their presence into promising Middle Eastern markets. The MOUs were signed by Justin CHAN, Advisor to Asia and the Middle East C o-Chief Executives of HSBC, along with senior executives from the two companies, including Jiao CHEN, Chief Executive Officer of PCI Technology Group Co., Ltd, and Chengang SHEN, Chief Executive Officer of Meetsocial Co., Ltd during a high-level delegation visit to Qatar and Kuwait. The visit led by John LEE, Chief Executive of the Hong Kong Special Administrative Region, brought together over 50 businesses from Hong Kong and mainland, including HSBC Hong Kong, PCI and Meetsocial Group. PCI is a professional artificial intelligence technology product and service enterprise in China. Founded in 1992 with the mission of 'Perfect City', the group provides full-stack artificial intelligence technology products and solutions from basic theory, core algorithm to urban-scenes applications, focusing on urban agglomeration integrated traffic. Its solutions empower the modernisation and governance of global cities. Meetsocial Group is a leading digital service expert of global marketing solutions. Founded in 2013, the company supports over 100,000 businesses from mainland China, Hong Kong, the Middle East, Japan, Singapore, and the United States, etc., including cross border e-commerce brands, gaming and app developers. Leveraging well-known international digital platforms and advanced AI-driven data analysis, Meetsocial Group enables businesses to promote their products and services worldwide and expand their global reach through more than 50 global media resources management, cross-border marketing and martech service. HSBC Hong Kong will leverage its extensive financial and market expertise, as well as global network to support the Chinese companies in navigating Middle Eastern markets. The collaboration seeks to tap into emerging opportunities in the Gulf region, driven by ongoing economic diversification, ambitious smart city initiatives, and growing inter-regional trade and investment between Asia and the Middle East. According to HSBC Global Research, Asia-Middle East goods trade is projected to grow from USD800 billion in 2024 to USD1.7 trillion by 2035. Justin CHAN said: 'There are strong incentives to deepen inter-regional economic integration amid heightened global uncertainty. These MOUs reflect our commitment to strengthening Hong Kong's role as a superconnector and Asia's leading international financial hub. With HSBC's global network and financial expertise, we are proud to empower businesses in Hong Kong and mainland China to expand into dynamic new markets.' HSBC is the largest international banking organisation in the Middle East, North Africa and Türkiye (MENAT) region, with a presence across nine countries. Its deep-rooted heritage in Qatar and Kuwait dates back to 1954 and 1942 respectively. For the fourth consecutive year, HSBC has topped the 2024 Middle East Bloomberg league tables for both equity and debt capital markets. HSBC has led half of all equity raised in the region's capital markets since 2021, and supported 90% of jumbo IPOs (over USD1 billion). Combined with its 160-year legacy in Hong Kong, and 130-year presence in the Middle East, HSBC is uniquely positioned to support the international growth ambitions of our clients across this corridor. Media enquiries: Agnes TIN agnestin@ Josephine LEE The Hongkong and Shanghai Banking Corporation Limited The Hongkong and Shanghai Banking Corporation Limited is the founding member of the HSBC Group. HSBC serves customers worldwide from offices in 58 countries and territories. With assets of US$3,054bn at 31 March 2025, HSBC is one of the world's largest banking and financial services organisations.
ME Construction
10-04-2025
- ME Construction
American Concrete Institute and PCI released New Joint Structural Precast Concrete Code
Industry News American Concrete Institute and PCI released New Joint Structural Precast Concrete Code By Developed through a rigorous general agreement process, ACI/PCI CODE-319-25 sets minimum requirements for plant-produced and site-produced structural precast concrete The American Concrete Institute (ACI) and the Precast/Prestressed Concrete Institute (PCI) have jointly released the ACI/PCI CODE-319-25 in PDF format. This code offers valuable insights into the materials, design, and detailing of structural precast concrete buildings and non-building structures. Developed through a general agreement process, ACI/PCI CODE-319-25 sets minimum requirements for plant-produced and site-produced structural precast concrete incorporating non pre-stressed or pre-tensioned reinforcement. The Design Standard Committee of PCI played important role in shaping the code's provisions and commentary, contributing their expertise to advance the industry. ACI 319 PLUS subscribers have had exclusive digital access to ACI/PCI CODE-319-25 through the ACI PLUS Platform, featuring digital notetaking, search capabilities, 3D graphics, and cross-referencing tools. With this release, the PDF version is now available for wider accessibility, ahead of the physical print edition. 'The collaboration between ACI and PCI to produce ACI/PCI CODE 319-25 has been phenomenal said Andrea Schokker, ACI/PCI Committee 319 Chair, we owe its success to the dedication and expertise of committee members and staff in both organizations, and we look forward to continuing this strong partnership in the next cycle.' ACI recently expanded its ACI PLUS Platform to provide industry professionals with interactive digital access to multiple new concrete codes and resources. In addition to ACI 319 PLUS, the platform's subscriptions include ACI 318 PLUS, ACI 320 PLUS, and the ACI 562 PLUS Repair Subscription, offering subscribers access to up-to-date codes, design examples, and supplementary materials.
