New Data Standard Could Expose FIs' Authentication Gaps

Source: American Banker

As FIs get ready to implement a new data security standard created by a payment industry group, there are three areas in which banks, retailers and payment processors need to step up their efforts, experts say: employee authentication, security testing and monitoring of partners' data security.

The PCI Standards Security Council (PCI SSC) kept the 12 tenets of the PCI Data Security Standard (PCI DSS) functionally the same, but have made a significant change toward an outcomes-based approach in the recently released 4.0 version. Retailers and financial institutions will have two years to implement the new requirements. Assessors will wait until March 2025 to verify compliance with the new standard.

The typical bank likely has little remedial work to do immediately in light of the new standard, according to experts at the cybersecurity assessor Schellman, but many advised financial institutions they ought to start working now, if they have not already, to meet the new standards. Additionally, banks need to worry about more than just whether they are in compliance; they also need to pay attention to what their clients are doing.

Among the biggest hurdles, banks and retailers face in complying with the new standards are the expanded requirements on multifactor authentications for employees. Although many banks already have multifactor controls for consumers, multifactor authentication for bank employees as the new standards require is less common, according to David Mattei, a strategic advisor for the financial services consulting firm Aite-Novarica.