We all know that 2020 brought a lot of uncertainty and changes to the way that we do things. And while some of that is not going to change in 2021, we thought this was a good time to look forward to what we expect for 2021 in the payments industry and how you can take steps to make your business more secure.
What to Expect in the Payment Industry in 2021 (PCI DSS v4.0)
Last year, we wrote about the timeline for the upcoming version 4 of PCI DSS. PCI DSS v4.0 is due to be released publicly in Q2 of 2021. That’s less than six months from now! While we still can’t talk about version 4 until it’s publicly released, some of the highlights that we can talk about include:
- Many key areas are being reviewed, including authentication, monitoring of requirements, and the frequency of testing controls.
- Changing from “Compensating Controls” to a “Customized Approach” which will let organisations have more flexibility on how controls are met as long as the objective of the control is met. This is an area we will be exploring in future posts.
- Changes to SAQs and reporting templates which always come along with new major versions of PCI DSS.
At a high level though, what we can expect in version 4.0 is significant changes since there will be an extended time for future dated requirements to be put in place. Version 3.2.1 (the current version of PCI DSS) is not expected to be retired until Q2 of 2023, a full 2 years after the v4.0 is released.
Over the course of 2021 and 2022, Confide will be publishing a series of posts looking at how version 4.0 changes things and what this might mean for organisations.
What We Expect to See in the Industry
More Online Shopping
One thing that’s become clear in the last 12 months is that the transition to e-commerce has accelerated in New Zealand. More and more companies have had no choice but to make the move to having an online shop either in addition to or instead of the traditional bricks and mortar business. After New Zealand moved to level 3, online shopping increased 105%. And while the increase has tapered off, online shopping is still approximately 30% higher than normal.
Changes to How People Donate
With cheques being phased out by all the major banks in NZ in 2021, charities are having to look at new ways to get donations. Just like shops have had to do during the pandemic, charities are having to look at new ways to get donors. And that means that charities that haven’t traditionally accepted online payments are now faced with all the benefits (and risks) of moving online.
Increased Risks and Costs
While the main benefit of having an online presence is that you can suddenly reach a much larger audience, we all know that there are risks (and costs) associated with going online. CERT NZ does a quarterly report on the incidents that have been recorded. In an average quarter, approximately 1300 incidents were reported with a direct financial loss of $3.6 million. In Q3 of 2020, the number of incidents increased by 33% over the Q2 numbers (approximately 2600 incidents reported in Q3) and the direct financial losses were reported at $6.4 million.
While we expect to see breaches continue, there are steps that you can take to minimise the risk of a breach.
Improving Your Security in 2021
Looking back on what either caused or contributed to breaches in 2020 gives us a good starting point to look at what steps can be taken to improve security in 2021 for businesses and charities alike.
Learn from the Past
The biggest areas where there were compliance gaps in 2020 were:
- Requirement 11: Test security systems and processes
- Requirement 5: Protect against malicious software
- Requirement 10: Track and monitor access
- Requirement 8: Authenticate access
Based on the report from Verizon, there were no organisations that were fully compliant with all PCI DSS requirements at the time of a breach. And 55% of organisations that suffered a breach were small and medium sized businesses.
One area that did not have a large control gap, but that is regularly the cause of security breaches is Requirement 6 (Develop and maintain secure systems), and in particular, this often comes from missing security patches. Whether it is Windows or Linux patches, or patches to your key applications, making sure that your systems are patched is part of the ASD Essential Eight (a list of essential mitigation strategies to use as a baseline to make it harder for a system to be compromised).
Adapt Your Security For How You Work
If there’s one thing that was contestant in 2020, it was changes to how we work. And now that a lot of these changes have become the norm, security needs to be updated to ensure that it is still part of the “new normal”.
One of the key things that we saw and continue to see is more people working from flexible locations. Which means there are more risks that need to be considered. For example, making sure that:
- Their home devices are patched,
- Any security scans are including remote machines,
- VPN access uses multi-factor authentication,
- Any of the temporary steps you took to secure people during the lockdowns have now been incorporated into your policies.
You can read more about steps you can take to secure your workers when they are working from home in our post.
Improve in the Future
If you can only do a few things to protect your online business in the coming months, we recommend:
- Regularly install both operating system and application patches (have a process to check for and install patches at least monthly if not more frequently)
- Use multi-factor authentication anywhere you can (this way if your password is compromised it’s a lot harder for someone to use it)
- Regularly scan your website and server for vulnerabilities.
- Check for malware (make sure if you’re using antivirus software that it’s regularly updated)
We also have a number of recommendations for different types of organisations:
- Secure Your Online Store
- Protecting Payments Over the Phone
- Accepting Payments by Mail? What You Should Know
- PCI DSS Basics
- Merchant PCI Basics
- Service Provider PCI Basics
How Can Confide Help
We can only guess at what’s going to happen in the next 12 months, but we want to help as much as we can. Confide is a Qualified Security Assessor Company (QSAC) and we have services to support organisations of all sizes and can help you understand your current security risk and compliance state from completing a gap analysis through to a full PCI DSS assessment. Contact us and find out how we can help you reach compliance in 2021.