Ecommerce Data Security Standards

In the first half of 2024, £571 million was lost to card payment fraud in the UK alone, much of it driven by scams on social media. Fraud has clearly evolved, adopting more modern and sophisticated tactics. In payment, one standard governing how card data is protected, namely how it is stored, processed, and transmitted, is the PCI DSS directives. The Payment Card Industry Data Security Standard was created in 2004 and has been the backbone of payment security for nearly 20 years. This year marks a big shift. Its latest version, PCI DSS v4.0, will become mandatory in March 2025. This is the first major update in over a decade, so worth taking a closer look at the key changes. Overall, PCI DSS v4.0 focuses on critical aspects such as encryption, authentication, network segmentation, and vulnerability testing, ensuring businesses are better equipped to handle the 'modern' security threats that are increasingly sophisticated too. ◾As such one of the key changes is the introduction of a flexible compliance approach. This means merchants can choose security measures that best fit their specific needs and risks. This approach is well-aligned with how businesses today manage their security challenges. In the same way that authentication frameworks are becoming more adaptive to varying levels of risk, other security measures are also evolving to be more context-specific and scalable. ◾Another key update focuses on the Stronger Authentication framework. Multi-factor authentication (MFA) is now mandatory for all accounts accessing sensitive payment systems, including remote administrative access. Specifically, MFA is required for all accounts that interact with the Cardholder Data Environment (CDE). ◾Stronger encryption and better key management are now essential. Businesses must use modern encryption methods instead of outdated ones. They also need to improve how encryption keys are created, shared, and stored to reduce the risk of data breaches and unauthorised access. ◾Given the industry’s shift towards real-time data processing, the latest guidelines also encourage automated monitoring and the use of tools that enable businesses to detect and flag non-compliance in real time. 👉🏽#Paymentexperts any perspectives to share on #pcidss🎙️? --- 𝑾𝒐𝒏𝒅𝒆𝒓 𝒘𝒉𝒐 𝒘𝒆 𝒂𝒓𝒆? 𝑊𝑒 𝑎𝑟𝑒 𝑎 𝑡𝑒𝑎𝑚 𝑜𝑓 𝑃𝑎𝑦𝑚𝑒𝑛𝑡𝑠 𝑆𝑡𝑟𝑎𝑡𝑒𝑔𝑖𝑠𝑡𝑠, 𝑏𝑙𝑒𝑛𝑑𝑖𝑛𝑔 𝑐𝑜𝑟𝑒 𝑡𝑒𝑐ℎ𝑛𝑖𝑐𝑎𝑙, 𝑜𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛𝑎𝑙, 𝑎𝑛𝑑 𝑐𝑜𝑚𝑚𝑒𝑟𝑐𝑖𝑎𝑙 𝑒𝑥𝑝𝑒𝑟𝑡𝑖𝑠𝑒 𝑤𝑖𝑡ℎ 𝑎 𝑐𝑟𝑒𝑎𝑡𝑖𝑣𝑒 𝑎𝑝𝑝𝑟𝑜𝑎𝑐ℎ. 𝑊𝑒 𝑎𝑠𝑠𝑖𝑠𝑡 𝑐𝑙𝑖𝑒𝑛𝑡𝑠 𝑡ℎ𝑟𝑜𝑢𝑔ℎ 𝐶𝑜𝑛𝑠𝑢𝑙𝑡𝑖𝑛𝑔, 𝑆𝑡𝑟𝑎𝑡𝑒𝑔𝑦, 𝑅𝑒𝑠𝑒𝑎𝑟𝑐ℎ, 𝑎𝑛𝑑 𝑇ℎ𝑜𝑢𝑔ℎ𝑡 𝐿𝑒𝑎𝑑𝑒𝑟𝑠ℎ𝑖𝑝 𝑝𝑟𝑜𝑗𝑒𝑐𝑡𝑠. 𝑳𝒐𝒐𝒌𝒊𝒏𝒈 𝒇𝒐𝒓 𝒑𝒂𝒚𝒎𝒆𝒏𝒕 𝒍𝒆𝒂𝒓𝒏𝒊𝒏𝒈 𝒓𝒆𝒔𝒐𝒖𝒓𝒄𝒆? ◼️ Sign up to our unique Payment Assets Library here: https://lnkd.in/dVXjGkzB ◼️Follow Paypr.work [ˈpeɪpəwəːk] for more #paymentinfographics #paymentstrategy #payprwork #paymentinsights

Did you know that under PCI-DSS, storing unencrypted cardholder data is a major compliance violation? PCI-DSS (Payment Card Industry Data Security Standard) requires businesses that handle credit card transactions to encrypt, restrict, and securely store sensitive cardholder data to prevent fraud and breaches. Failure to comply can result in hefty fines, legal consequences, and even the loss of payment processing privileges. Many companies assume compliance is just about firewalls and access controls, but data encryption, tokenization, and storage policies play a critical role. If a company stores raw credit card numbers without proper security measures, they could be hit with non-compliance penalties and major reputational damage.

DRAFT DPDP RULES, 2025 - SECTOR-WISE IMPACT ANALYSIS - PART 2 – E-COMMERCE SECTOR The e-commerce industry, handling vast amounts of user data for various purposes such as transactions, marketing, and analytics, faces significant compliance responsibilities under the Draft Digital Personal Data Protection (DPDP) Rules, 2025. These rules aim to bolster consumer privacy and data security while ensuring transparency and accountability in data processing practices. ## Key Obligations for E-Commerce Platforms: # Significant Data Fiduciaries Obligations: * E-commerce platforms that process data of over 2 crore users are designated as Significant Data Fiduciaries. * These platforms are required to conduct regular Data Protection Impact Assessments (DPIAs) and data audits (as per Rule 12) to ensure compliance and mitigate risks associated with the processing of sensitive personal data. * Enhanced obligations include the transparency of algorithmic processes, ensuring they do not infringe on consumer rights, particularly around targeted advertising and data usage. # Child Data Restrictions: * E-commerce platforms must not profile or target children for advertising or data collection (as per Rule 11). * The platform will need robust mechanisms to identify and segregate children's data. * Parental consent must be obtained before processing personal data of minors, demanding additional infrastructure and verification systems. # Data Retention Policies: * Platforms are required to delete user data within three years after a user becomes inactive, unless a longer retention period is stipulated by law (as per the Third Schedule). * This is aimed at minimizing the retention of unnecessary data, reducing the risk of misuse. # Transparency and User Rights: * Users will have clear rights to access, correct, and delete their personal data under the DPDP Rules. * E-commerce platforms must develop systems that enable users to easily exercise these rights. Clear and explicit consent mechanisms will be mandatory for data collection and processing, requiring platforms to enhance their current data-gathering processes. In summary, the DPDP Rules require e-commerce businesses to implement stronger data protection practices, increasing both compliance costs and operational complexity, but also offering an opportunity to build greater consumer trust. ANB Legal Lara Borges Sejal Mehta