It’s official—the Payment Card Industry Security Standards Council has issued the updated PCI DSS! As the industry’s security requirements continue to evolve, PCI DSS 4.0 is the next evolution of the standard that addresses new risks and technologies and enables innovative countermeasures possible.
All About PCI DSS 4.0
The most recent version of the Payment Card Industry Data Security Standard, PCI-DSS 4.0, has been released in March 2022. Like previous iterations of PCI-DSS, version 4.0 consists of a thorough collection of recommendations designed to protect the systems used for the processing, storing, and transmission of credit card data.
Any entity that processes, maintains, or transmits cardholder data is subject to PCI-DSS. Organizations must adhere to a variety of requirements in order to be compliant, including continual monitoring and testing, the use of effective access control mechanisms, the protection of cardholder data, and others.
Although the full text of PCI-DSS 4.0 has yet to be released, we do already know a fair bit about it. Four objectives have been established by the PCI Security Standards Council, the entity in charge of PCI-DSS, to direct the development of Version 4.0:
- Verify that the standard remains compliant with the payments industry’s security requirements.
- Enhance flexibility and support for additional security techniques
- Encourage security as an ongoing effort.
- Improve validation techniques and processes.
What Does The Upgrade Include?
Access Management
To reflect the most recent industry best practices for password and multi-factor authentication, the new version of the PCI DSS may include updates to the authentication standards. The following are possible conditions for authentication:
- Not just administrators, but all accounts with access to the cardholder data environment should be using multifactor authentication.
- Applications and systems accounts’ passwords are reset at least once every year and whenever there is a suspicion of intrusion.
- Password must meet the following minimum level of complexity: at least 15 characters, a combination of numeric and alphabetic characters, and prospective passwords are compared against the list of known bad passwords as PCI DSS requires.
- Access privileges are to be reviewed at least once every six months.
- Accounts for vendors or third parties may only be activated when necessary and monitored when in use.
Data Validation
The new version has improved alignment between data reported in and between formal Reports on Compliance (ROC) and the Self-Assessment Questionnaire, as well as clear validation options and reporting granularity supporting better report transparency (SAQ).
Customized Approach
Additionally, a two-track strategy for PCI DSS compliance is included in version 4.0. A new track known as the “Customized Approach” gives in-scope entities more flexibility to achieve compliance by employing techniques and testing procedures that are not officially included in the standard.
Continuous Security
The emphasis of the new version is on clearly defining roles and duties for each requirement. It also provides instructions for implementing and maintaining security procedures as well as additional reporting choices for areas that could use improvement, enhancing reporting transparency.
Strive For Technology Advancement
The risk-based strategy may receive more attention in the new version. The Secure Software Lifecycle component of the Software Security Framework (SSF), which will shortly replace the PA-DSS, will allow businesses to choose to have their Software Development Lifecycle (SDLC) certified as part of the process.
Adopting this framework will enable organizations to adhere to standards and benefit from quicker process adoption. SSF might not be necessary, but it would still involve employing an assessor for delta modifications and re-evaluating the software every three years.
Timelines
The security standard’s first significant change since 2018 is version 4.0 of PCI DSS. The present version of PCI DSS will be in use for another two years before being decommissioned on March 31, 2024, giving organizations time to understand and execute the modifications mandated by version 4.0.
From June 2022, training sessions for qualified and internal security assessors on the new version are being offered. Companies will have the option to assess either the current version or version 4.0 after those training are completed. In some cases, businesses will be able to rely on a service provider who has been verified to an earlier PCI DSS version.
Is There A Need To Transform Your Organization?
The audit scramble is a reality for many organizations, but given the ongoing risks, this is no longer an acceptable security strategy. Many businesses will be compelled by the new standard to adopt a new strategy and discard segmented security. Often a department is in charge of certain technological controls, but that won’t be acceptable anymore.
Customers will view this as a necessity for centralizing the concept of compliance and security within the business from the standpoint of how it will affect them.
