Like any industry, cybersecurity has seen many changes over the years. They are related to many different things like new technologies, responses to emerging cyber threats, or the updates of already existing compliance standards. At the end of March this year, we saw an excellent example for the last one with the latest version of the PCI Data Security Standard (PCI DSS) v4.0. In this article, we will dive head into the subject and explore what the changes in the new version are and how they affect interested parties.
What is PCI DSS?
As you probably know, the PCI DSS is a global standard that covers the latest payment industry security measures. It is mandatory for any business that processes card transactions, and PCI DSS is the minimum set of technical and organizational requirements designed to help financial companies protect cardholders’ data against fraud through robust payment security.
PCI DSS requires an annual certification, which includes a detailed security audit that covers areas like:
- Networks security, segmentation, and management
- Account data protection
- Vulnerability management
- Access control management
- Security events monitoring and testing
- Policy frameworks
- And others
As you can imagine, the PCI DSS applies to thousands of companies in various industries, and it will become even more critical with the penetration of digital payments.
What should you know about PCI DSS v4.0?
The standard was released over two months ago, and there are already various resources available. Version 4.0 of PCI DSS aims to:
- address the latest security needs in the payment industry;
- support the promotion of constant development of cybersecurity;
- provide more room for flexibility for companies with different cybersecurity strategies;
- introduce improvements to validation procedures.
To meet these goals, PCI DSS v4.0 has introduced some significant changes. However, there is a transition period as the previous version, 3.2.1, will be active and valid in the next two years along with the new one. That means that there will be two versions of the standard in force available to companies in the payment industry, and companies and organizations will have the time to adapt to the new requirements.
What are the significant changes in PCI DSS v4.0?
Some of the most notable changes affect the following aspects of the standard:
- Authentication requirements – introduction to new requirements for multi-factor authentication and multi-factor authentication systems;
- Changes in password requirements – increased length of characters to 12. Some changes for passwords apply only to organizations that don’t use multi-factor authentication;
- Introducing the option to use groups and share accounts in v4.0 tries to provide more flexibility. More flexible options are presented in the section for targeted risk analysis as well;
- Another step towards flexibility is the customized approach that allows organizations to show how they are meeting the standard’s requirements. Now there are two validation methods. One that remains the traditional (defined approach), and the second is the new customized method. For the second one, the organization will determine the security controls that will allow it to meet the PCI DSS objectives. The assessor will choose specific testing procedures based on the particular customized approach and then validate the security controls based on them;
- Any organization chooses which validation method to use. However, the customized approach is suitable for the ones that have more robust security measures and experience;
- Some new changes address the application of the standard to cloud environments by showing more examples and adding clarifications in the section for service providers to make it more understandable how to apply it to cloud providers;
- Some changes address emerging cyber threats – two new requirements regarding phishing attacks and a set of requirements to handle skimming attacks.
- Targeted Risk analyses empower organizations to establish frequencies for performing certain activities
Members of the PCI DSS Security Council share that there are improved guidelines for the implementation of the standard and better reporting system.
Achieve compliance for PCI DSS v4.0
We expect more organizations to shift to the PCI DSS v4.0 even though the old one will be active for two more years, and version 3.2.1 will remain in force until 31.03.2024. Experts and companies have little less than 24 months to become familiar with the new requirements and see how things work. And some of the new requirements will have an additional period of one year before they become mandatory.
It may seem like there is a lot of time ahead. However, we always try to encourage our partners and clients to introduce the latest and best practices for cybersecurity. It is good to start planning from now to implement PCI DSS v4.0 and not wait until the last possible time. We are here to support this transition. Just give us a call!