IDC Names Securiti a Worldwide Leader in Data PrivacyView
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard that establishes adequate operational and technical criteria for account data protection. The next evolution of the standard PCI DSS v4.0 was released on March 31, 2022.
The latest revision of the PCI standard, PCI DSS v4.0, significantly changes the criteria while emphasizing ongoing security and including new approaches to comply with them. PCI DSS v4.0 replaces the PCI DSS version 3.2.1 in an effort to handle emerging threats and technologies strategically, offer innovative approaches for combating growing threats, and secure other elements in the payment ecosystem.
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all payment card account processing entities – merchants, processors, acquirers, issuers, and other service providers.
The PCI DSS v3.2.1 will be in use for two years after the release of PCI DSS v4.0 on March 31, 2022. The goal of the transition period, which runs from March 31, 2022, to March 31, 2024, is to provide organizations adequate time to acquaint themselves with the PCI DSS v4.0 updates, update their reporting templates and forms, and plan and implement those updates. Some rules go into effect immediately, but the majority don't until March 31, 2025, giving organizations a full year to implement the challenging ones.
The PCI DSS v4.0 updates intend to address the ever-evolving security requirements of the payments industry, promote security as a continuous process, boost flexibility, and enhance procedures for organizations employing various security-related approaches.
The latest version introduces several updates. For a comprehensive view, please refer to the Summary of Changes from PCI DSS v3.2.1 to v4.0, found in the PCI SSC Document Library.
The main change is adopting a completely new approach to meeting requirements dubbed the customized approach (flexibility). A customized strategy allows organizations to use cutting-edge technology and innovative controls to achieve the PCI DSS security criteria. As a result, enterprises can adhere to the stringent PCI DSS criteria more flexibly and personally.
The assessor will examine the entity's customized approach documents (including a controls matrix and a focused risk analysis) and create a procedure for evaluating the controls to confirm that the customized controls adhere to the PCI DSS requirements.
The distinction between customized controls and compensatory controls must be made clear. When an organization cannot meet a requirement for an acceptable and acknowledged technical or commercial restriction, compensating controls, also known as mitigating controls, are necessary. On the other hand, customized controls offer a flexible replacement for complying with rigid specifications.
Major updates have been made to security measures to continue to meet the security requirements of the payments sector, which must evolve as threats change. These include:
It is now necessary to only utilize disk-level or partition-level encryption to make the PAN unreadable on removable electronic media.
Merged requirements and updated the security monitoring systems to be monitored and responded to as part of the incident response plan.
New requirement for all entities to detect, alert, and promptly address failures of critical security control systems. This requirement is a best practice until 31 March 2025.
Protecting sensitive payment card data requires installing and maintaining network security controls. These safeguards include strong firewalls, intrusion detection systems, and encryption methods to prevent data breaches and cyberattacks.
Malicious actors frequently attack systems using default vendor settings and passwords, both within and external to an organization. These passwords and settings are well-known and can be discovered using data that is readily accessible.
Applying secure configurations to all system components reduces an attacker's possibility of compromising the system. The possible attack surface can be decreased by changing default passwords, eliminating unnecessary software, functionalities, and accounts, and deactivating or uninstalling unnecessary services.
Important elements of account data protection include encryption, truncation, masking, and hashing. Even if a hacker manages to get past other security measures and acquire encrypted account data, the hacker cannot access the data without the correct cryptographic keys. Examples of risk-reduction strategies include avoiding holding account information unless absolutely essential, truncating cardholder data when the entire PAN is not required, and refraining from providing unprotected PANs via end-user messaging platforms like email and instant messaging.
Strong encryption increases the likelihood that data secrecy, integrity, and non-repudiation will be maintained. PAN must be encrypted while being transmitted via networks, especially untrusted and public networks, that are easy for hackers to access to prevent compromise. Since a network holds, processes, or transmits cardholder data, any transmissions of cardholder data through its internal network(s) will automatically subject it to PCI DSS. Any such networks must be evaluated and assessed in accordance with the relevant PCI DSS rules.
Malicious software or firmware must be detected and removed to protect all systems and networks from malicious software. Examples of malicious software include viruses, worms, Trojans, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links.
It's crucial to develop and maintain secure systems and software, as security vulnerabilities can be exploited by individuals with malicious intent to gain privileged access to systems. Organizations must routinely update their software components via the necessary software patches to ensure no software intrusion.
Due to ineffective access control rules, unauthorized individuals may access critical data or systems. Systems and procedures that restrict access based on a need to know and in accordance with job duties must be in place to ensure that authorized individuals can access data. These requirements apply to user accounts and access for employees, contractors, consultants, internal and external vendors, and other third parties (for example, for providing support or maintenance services). Certain requirements also apply to application and system accounts used by the entity (also called “service accounts”).
Two fundamental principles of identifying and authenticating users are to:
The element used to prove or verify the identity is known as the authentication factor. Authentication factors are:
Any physical access to systems that store, process, or transmit cardholder data should be suitably limited since it allows individuals to access and/or remove systems or hardcopies containing cardholder data.
To prevent, identify, or mitigate the effects of a data compromise, it is essential to have logging methods and the ability to monitor user activity. Logs are present on every system component and in the Cardholder Data Environment (CDE), enabling full monitoring, notification, and analysis if something goes wrong. Without system activity logs, it is difficult, if not impossible, to identify the cause of a compromise.
This criterion is applicable to all user activities, including those taken by employees, independent contractors, consultants, suppliers both internal and external, and other third parties (such as those offering support or maintenance services). It exempts the user activity of consumers (cardholders).
To ensure that security policies continue to take into account the ever-evolving environment, system components, processes, and customized and custom software should all undergo regular testing.
The overall information security policy of the organization establishes the tone for the entire organization and specifies what is expected of the employees. Every employee should understand the sensitivity of cardholder data and the need for protection.
Payment Card Industry Data Security Standard (PCI DSS v4.0) introduces several new requirements, including the detection and protection against phishing attacks, more stringent password requirements, and multi-factor authentication, among several others.
PCI DSS Level 4 applies to merchants that conduct less than 20,000 e-commerce transactions annually or up to one million transactions via all channels (e-commerce, card present, and card not present).
The main focus of PCI DSS v3.2.1 is prescriptive security controls, which provide comprehensive guidance on what organizations should do to be compliant. On the other hand, PCI DSS v4.0 places greater emphasis on security results, giving businesses greater flexibility to select the security technologies and methods that are suitable for their particular environment.
PCI DSS v4.0 goes into effect on March 31, 2024, and has 64 new requirements. Some requirements are effective immediately, but the majority of requirements aren’t effective until March 31, 2025, giving organizations a year-long transition period to implement the more challenging requirements.
Complying with PCI DSS v4.0 requirements narrows down to understanding the requirements of the updated standard, conducting gap assessments, introducing practices and technology that facilitate the incorporation of the new requirements, etc.
Start off by understanding the new standard, conducting gap assessments, aligning practices to meet the updated requirements, and conducting the first PCI DSS v4.0 assessment.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,