COMMENTARY: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that regulates the usage and management of payment card account data by organizations with the purpose of securing cardholder data and preventing credit card fraud. Any business that processes, transmits, or stores cardholder data must comply with PCI DSS requirements to ensure that cardholder data is handled securely and responsibly during the process. The standard also applies to any organization that could impact the security of cardholder data.
With the new PCI DSS 4.0.1 requirements coming into effect in March 2025, it is imperative that businesses introduce solutions to adeptly manage the delicate balance between safeguarding credit card data and ensuring its effective utilization. It is a balancing act that has become more critical as organizations increasingly lean on cloud analytics platforms and plan to use data in critical AI workflows.
For MSPs, it's important to understand how they -- and their customers -- must reevaluate and adapt their data practices, mindful that any organization that handles credit card information must comply, regardless of size or industry.
The Basics of PCI-Compliant Data Usage
Version 4.0.1 of the PCI DSS standard is another step in the evolution of security standards to address the constantly evolving threat landscape associated with financial data. The new standard places a greater focus on data security to protect cardholder data using methods including enforcement of robust encryption processes, implementing operational controls based on the principle of least privilege with respect to access to services and data, generating an inventory of cryptographic assets, and expanding risk assessment processes.
Given the enhanced data security measures, organizations now face the dual challenge of complying with PCI DSS 4.0.1 requirements while using cardholder and payment data to improve customer service, deliver tailored experiences, and boost fraud prevention. Innovative solutions like data tokenization reflect one promising technique to ensure compliance with the new standard. For instance, when customers make purchases or share payment information, data tokenization replaces their credit card numbers and other vital details with cryptographic tokens that hold no value for fraudsters. Because tokens retain the data set format, they remain usable within internal business improvement or analytical and emerging Generative AI application workflows.
A robust data tokenization solution can help to:
1. Safeguard stored account information.
2. Secure cardholder data with strong encryption for transmission over public networks.
3. Limit access to system components such as sensitive database tables, applications, endpoints, and user accounts based on business necessity, restricting the visibility of cardholder data.
4. Identify users and authenticate access to payment system components.
5. Log and monitor all access to system components and cardholder data for auditability.
Other tactics that make for successful PCI DSS 4.0.1 compliance while using data across analytics workflows include:
· Data security readiness: Ensuring that data collected for analytics is encrypted and stored securely. This also necessitates proper encryption key hygiene.
· Stringent access controls: Leveraging multi-factor authentication and maintaining detailed access logs to ensure payment and cardholder data is handled only by authorized users.
· Continuous monitoring: Performing regular audits and automated compliance checks to eliminate the risk of unwittingly becoming non-compliant.
There are two approaches when it comes to data tokenization – vaulted solutions and vaultless Format-Preserving Encryption (FPE). Vaulted tokenization is a legacy approach where the original data is mapped to a token with a non-sensitive equivalent of the original data. The sensitive original data remains in a separate database. As data volumes increase, this approach negatively impacts performance, scalability, and cost. However, the biggest drawback to keeping volumes of sensitive data in a centralized location is the risk of having a single point of failure or creating a targeted “pot of gold” for bad actors.
Vaultless tokenization, by means of FPE, on the other hand, does not have unnecessary data overheads, reducing potential risks. Under this approach, sensitive data is encrypted with a symmetric encryption key, and the encrypted data or token is substituted in the database table alongside non-sensitive data. The resulting cryptographic tokens maintain the data set format, so they can still be recognized as a social security number, credit card, email address, etc., but have no intrinsic value for bad actors. Employing NIST (U.S. National Institute of Standards and Technology) approved cryptographic techniques, along with proper key management and storage, dramatically enhances the security of payment and cardholder data while eliminating unnecessary infrastructure management and spending. With FPE, data becomes:
· Portable: Sensitive data is now obfuscated and can safely be put to work anywhere.
· Compliant: No sensitive data is exposed as it travels across applications and workflows.
· Reversible: When needed for legitimate and authorized purposes, as specified in policies and access controls, the original data can be retrieved on the fly through detokenization.
· Scalable: FPE does not require the maintenance of a separate database to store mappings of original data or related tokens and can accommodate growing volumes of data.
The Future Starts Now
Implementing best practices in data security allows organizations to build a security framework that supports safe and compliant data analytics operations ready for PCI DSS 4.0.1. Protecting sensitive cardholder and payment data information from unauthorized access and potential breaches while deriving complete value from your data assets is a simple idea that can prove complex in its implementation.
Achieving success requires a balanced approach that addresses both security requirements and operational needs. It cannot be overstated that organizations should regularly review and update their security practices to address evolving threats, changing regulations, and operational requirements while maintaining the efficiency of their analytics processes. Those who follow this approach give themselves the best chance at long-term success and compliance with PCI DSS 4.0.1.
ChannelE2E Perspectives columns are written by trusted members of the managed services, value-added reseller, and solution provider channels or ChannelE2E staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
