PCI DSS 4.0
Payment Card Industry Data Security Standard
PCI DSS 4.0 Audit Management and Continuous Compliance by Experts
The newest version of PCI DSS addresses this societal evolution in many ways. Although the 12 core requirements remain in place to protect cardholder data, the focus has moved toward initiating many security objectives designed to guide the implementation of security controls.
The PCI DSS is made up of 12 requirements divided into 6 categories:
These days, cardholder data is safeguarded in several ways, with one of the most important to emerge in recent years being identity and access management (IAM). PCI DSS v4.0 recognizes this priority, aligning with the NIST guidance on digital identities. That is in response to the increased use of cloud-based technologies and the accompanying need for stronger authentication protocols.
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
In keeping with its ongoing goal of safeguarding cardholder information, the PCI Security Standards Council (PCI SSC) is rolling out a new version of its Payment Card Industry Data Security Standard (PCI DSS). This updated iteration came from extensive feedback from numerous players in the global payments industry belonging to over 200 organizations over three years. With this most recent update comes a transition to outcome-based requirements to meet the security industry’s evolving needs, emphasizing security as a continuous process focusing on flexibility and customizability.
Although only four years have passed since the last version of the standard, v3.2.1, was put in place, tumultuous changes have required a new set of modifications. The COVID pandemic acted as the catalyst for abrupt shifts in shopper behaviors and the embracing of cloud-based platforms that facilitated online shopping and remote work. In keeping with this evolution, cyber attackers also developed ever more sophisticated ways to compromise data and usurp digital systems.
PCI DSS 4.0 Changes
The new emphasis on customizability allows organizations to construct their authentication systems to meet the standard’s requirements and the company’s risk environment. Additionally, PCI SSC is working with Europay, Mastercard, and Visa to implement the 3DS Core Security Standard during the transaction authorization process.
Encryption has long been used to keep cardholder data safe, and the new version of PCI DSS builds on this foundation by expanding on trusted networks. Additionally, the mandate for data discovery for identifying all sources and locations of cleartext primary account numbers has been made more frequent, at least every 12 months, or if the data environment undergoes significant changes.
Multifactor authentication (MFA) for all accounts that can access cardholder data became more stringient
Access privileges must be reviewed at least once every six months
Permissions for the group, shared, and public accounts. Targeted risk analyses aim to allow organizations to establish the frequency of performing certain tasks
It is required that strong passwords for accounts and systems be used
They should be at least 15 characters long, including numeric and alphabetic characters. Additionally, any password must be compared against a list of known bad passwords.
Password protocols require that those used for applications and systems be changed at least every 12 months or if there is suspicion of compromise
Ready To Get Started?
If you have any questions about PCI DSS or how it affects your business, don’t hesitate to contact us. We would be happy to help you get started on your compliance journey.
Schedule a Meeting With Us