Part of our PCI DSS v4.0 blog series
The Payment Card Industry Data Security Standard (PCI DSS) is a global framework that establishes technical and operational requirements for safeguarding account data. All entities handling, processing, and transmitting cardholder data must comply with PCI DSS v4.0.1 standards. While some updates went into effect earlier this year, additional controls will be listed as best practices until they become required after March 31, 2025. The goal of the update is to help meet the security needs of the payment industry and promote continuous security processes.
To help financial institutions understand the changes, we launched a series of PCI DSS v4.0 blog posts. Our first post covered requirement 5.4 on anti-phishing and DMARC. For this second post, we’ll focus on requirement 3 on protecting stored account data.
In-app data is the new norm
In a 2023 Entrust survey, we learned that 79% of respondents prefer using mobile apps for basic daily banking. So it’s no surprise that more and more financial institutions are opting for in-app card issuance and display of card details in the app to provide a digital-first payment and banking experience to their cardholders. (We wrote about our digital card solution’s in-app card display in this previous blog post.)
PCI-DSS v4.0.1 requirements related to card data
Financial institutions offering in-app payment options typically comply with PCI DSS v3.2.1. Firms moving toward version v4.0.1 compliance should note there are 12 key requirements that include more than 60 sub-requirements. The goal of this new version of the data security standard is to continue to meet the security needs of the payment industry. The deadline to implement PCI DSS v4.0.1 is March 31, 2025.
To comply with PCI DSS v4.0.1, one of the requirements for financial institutions is to protect access to cardholder data (“Protect stored account data” and “Protect cardholder data with strong cryptography during transmission”). Examples would be expanded multifactor authentication requirements or updated password requirements, as noted in this PCI Security Standards Council blog post.
Cardholder data is defined by PCI DSS as the PAN, primary account number, name of the cardholder, expiration date, and PIN.
Requirement 3: Protect Stored Account Data consists of seven sections:
- 3.1 Process and mechanisms for protecting stored account data are defined and understood
- 3.2 Storage of account data is kept to a minimum
- 3.3 Sensitive authentication data (SAD) is not stored after authorization
- 3.4 Access to displays of full PAN and ability to copy PAN are restricted
- 3.5 PAN is secured whenever it is stored
- 3.6 Cryptographic keys used to protect stored account data are secured
- 3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
NOTE: We’ll cover sections 3.6 and 3.7 in an upcoming blog post as part our PCI DSS v4.0 blog series.
Challenges of ensuring PCI DSS compliance for cardholder data
Offering digital-first features, like displaying sensitive card information in-app, must comply with PCI DSS, one of the world's most stringent security standards. And that brings its own set of challenges.
- PCI DSS requirements can significantly limit banking apps in terms of innovation and agility.
- For a financial institution to be PCI DSS-compliant – and to offer a secure experience to the cardholder – the card information must be obtained from the content management system (CMS).
- Failure to comply with requirements can result in fines or suspension of card transaction processing.
- While multiple recommendations or requirements by PCI DSS may already be implemented, some controls may be new for the financial institution. Aspects regarding encryption or multi-factor authentication may be insufficient, or in some cases, nonexistent. This limitation can be disruptive and may adversely impact an organization’s processes.
- It’s important to consider a holistic approach to security and compliance overall to help mitigate the complexity resulting from multiple, disparate solutions.
- For third-party providers handling customer cardholder data, financial institutions will need to assess the provider for compliance. If the vendor is not compliant, the financial institution may also be considered non-compliant.
Entrust Digital Card Solution
The Entrust Digital Card Solution is PCI DSS-compliant and adheres to data residency and privacy regulations. It allows banks and credit unions to securely display sensitive card details (card number, expiry date, CVV, CVV2) in the banking app. This also allows those financial institutions to securely display the PIN code in the application and let their cardholders modify their card’s PIN in the banking app. Our PCI DSS-compliant “instant PIN display and change” enables reduced operational costs and a truly digital-first experience.
Some security measures we take to illustrate our commitment to your banking customers’ security include:
- The backend is fully PCI DSS tested and certified on a yearly basis
- Our SDK supports all digital card use cases with unique security, and embeds the most advanced countermeasures to protect the app and the digital card data from hackers
- Our testing and regular audits help ensure all sensitive data at-rest or in-transit is encrypted
- The solution provides end-to-end encryption of all sensitive card data when possible
- PII data such as email, phone, and customer name are not retained
Visit our website to learn more about the Entrust Digital Card Solution, or contact us to learn how we can help your organization manage PCI DSS v4.0.1 requirements.
