Digital payment technology is an incredibly valuable asset to society. It gives people the luxuries of sending money, paying others, and even getting their groceries done online with no more than a few taps of their smartphone's screen. But like all things internet, there are risks. Cyber-fraud is a growing area of concern for businesses, individuals, and financial institutions alike.
In an effort to better protect consumers and keep the industry safe, the Payment Card Industry Security Standards Council (PCI SSC) recently released an updated version of its trademark industry guidelines. This article will walk you through some of the bigger changes set against the context of previous rules.
A Refresher On PCI DSS
The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set of guidelines that establishes a set of protocols businesses must follow when storing, processing, or transmitting cardholder data. It was first established by Visa, Mastercard, Discover, JCB, and American Express in December 2004 and has since been managed by a collective organization of those four companies called the PCI Security Standards Council.
The main purpose of PCI DSS is to protect the personal and financial data of cardholders by providing a framework for businesses to follow when handling that data. This includes things like implementing strong access controls, encrypting transmission of cardholder data across open networks, and regularly monitoring security systems.
There are several levels associated with the PCI DSS depending on how many transactions a business processes annually—all must be compliant with at least one level in order to process payment cards. The higher the level, the more stringent and comprehensive the security requirements.
The Evolution of PCI DSS
PCI DSS policy has seen a lot of change over the years as rule-makers have sought to keep up with the ever-evolving technologies used for digital payments. It's been fully updated a total of three times, first in 2010 with the introduction of PCI DSS v2.0, then in November 2013 with Version 3.0, and this year, with Version 4.0.
PCI DSS v4.0 seeks to make long-overdue changes to the standard that have been suggested in recent years. This includes more concise language and terminology, clearer instructions for implementation, and additional measures aimed at bolstering organizational accountability.
What PCI DSS v4.0 Brings to the Table
The latest version of PCI DSS introduces a total of 63 new requirements for businesses that meet its qualification criteria. We won't go through every single one of them in detail, but here are some of the highlights:
Risk Assessments While PCI DSS required risk assessments, its successor ups the ante by calling for specifically targeted risk analyses. What are those, you may ask? Specialized risk assessments dive deeper into specific areas of concern within an organization's security infrastructure. They consider the unique vulnerabilities pertaining to particular types of data and the potential impact of an attack on that data.
Strengthening User Gateways Passwords are an incredibly critical aspect of data and network security. As such, the new version of PCI DSS requires organizations to not only lengthen theirs to a minimum of 12 characters, but also implement advanced user authentication protocols with expanded multi-factor authentication. While a simple combination of letters and numbers may have once been enough, they're no longer able to provide the same level of security. Organizations that cut corners with one-dimensional sign-on processes drastically increase their risk of account compromisation. Don't think it can happen to yours? The Colonial Pipeline hack of 2021 proved that some of North America's most critical networks are vulnerable to a single successful attack; The Darkside ransomware gang was able to break into the national system through an inactive account that wasn't set up with multifactor authentication.
Inventory Businesses that use custom-developed software must now maintain an inventory of their tools that reflects version numbers, patches installed, and other important components. They must also keep an inventory of any and all trusted keys and certificates involved in their payment processing activities.
Scanning & Detection PCI DSS Version 4.0 gives organizations heightened responsibility for the prevention and detection of malicious activities. This includes an increased focus on endpoint security, regular vulnerability scans, and the use of automated alerts to identify skimming devices or other malicious activity.
Accountability and Education PCI DSS v4.0 introduces several new standards for the way and extent to which organizations train their staff on cybersecurity. It emphasizes the notion that threat mitigation is a continuous process, requiring the ongoing commitment and attention of employees with designated roles and responsibilities. Awareness is another big issue; regardless of how sophisticated a network's security measures may be, no system is 100% secure unless the users who interact with it understand and follow best practices. A great example of this is an incident that impacted the Austrian aerospace manufacturing company FACC in 2016. Attackers only needed to fool one employee to achieve their massive $61 million dollar payout. The PCI SSC aims to strengthen everyday companies' posture against potential attacks and mitigate the risk of an employee error or malicious action by increasing awareness through educational initiatives. It further mandates the implementation of automated tools to assist in employees' protection from phishing attacks.
PAN Certificate Verification PAN, or Primary Account Number, is a key element in payment processing. PCI DSS Version 4.0 requires organizations to take extra steps when transmitting PANs over open public networks by verifying certificates used for these transmissions are valid.
Getting Ready for PCI DSS v4.0
Although its details were just announced, PCI DSS v4.0 won't officially go into effect until March 31, 2024. That leaves qualifying businesses a mere five months to prepare. Luckily, this isn't the first-time changes have happened, so many will already be prepared from the introduction of v3.0. It's just a matter of fully grasping what the newest set of standards calls for.
Our recommendation is to get moving as soon as possible with a structured gap analysis to determine which changes need to be made. If it's been more than a year since your organization last conducted its PCI compliance audit, now is the time for another one.
For organizations that haven't been able to keep up with the ever-evolving world of digital security, there are third-party compliance audit firms and other services available to help you prepare for PCI DSS v4.0 requirements. NoX90 is one such provider, specializing in advanced attack surface and risk management solutions for businesses of all sizes.
Protect your customers' data safe from ever-evolving digital threats by reaching out today.