Increased Scanning Requirements in PCI DSS v4.0: usd Invites Acquirers to an Exchange of Experiences

22. November 2023

For many companies in the payment industry, preparations for PCI DSS v4.0 are reaching the final stage. This is also the case for Acquirers, payment institutions that process card payments for merchants, and their customers. As solutions to shared challenges can be better found together, usd has been inviting representatives of European Acquirers to exchange experiences and knowledge for many years.

"The format is characterized by the transparent presentation of current implementation possibilities and the presentation of various options. The opportunity to ask individual questions rounds off the event and enables an interactive exchange," says Patricia Brenner, Scheme Projects Manager, VR Payment GmbH.

On November 9, it was time again. The most important topic on the agenda was PCI DSS v4.0 and the implementation of the new security requirements for SAQ A merchants. According to the latest version of the standard, the majority of merchants will be obliged to have external security scans carried out regularly by accredited providers (ASV) starting in April 2024. With this tightening of the scanning obligation, the PCI Council is responding to the constantly growing threat of web skimming attacks, among other things.

Susanne Pfitzner, Service Manager for usd Security Platforms, understands the challenges that this new requirement poses for Acquirers and their customers: "As you can imagine, many merchants who have never had to conduct security scans before have neither much understanding of the new requirement nor sufficient resources. It is therefore important for their Acquirers to offer practicable solutions. Of course, we won't leave them on their own."

The agenda of the usd Acquirer Meeting therefore included a presentation of new and planned future features of the usd PCI Compliance Management Platform as well as a detailed block on the topic of the extended scanning obligation for merchants with SAQ Type A. In addition to various options for dealing with the scanning obligation, Acquirers were also given suggestions for communicating with their merchants.

"The presentations provided a very informative overview of the challenges for SAQ A merchants in PCI DSS v4.0 and in particular helped to understand the new requirement to carry out vulnerability scans," summarizes Jörg Michael, Business Analyst Payment Products, PAYONE GmbH. "Many thanks to the usd team, as a participant I was well understood and actively involved."

Also interesting:

Top 3 Vulnerabilites in System Pentests

Top 3 Vulnerabilites in System Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

DORA Deep Dive: Reporting of ICT-Related Incidents

DORA Deep Dive: Reporting of ICT-Related Incidents

The Digital Operational Resilience Act (DORA) requires major ICT-related incidents to be reported to the German Federal Financial Supervisory Authority (BaFin) from January 2025. Why should you take a close look at this requirement now? Where in DORA is this...

Categories

Categories