New security standards released a month ago has promised to create a much more secure environment for card-based payments.
PCI DSS 4.0 is said to give businesses “more flexibility,” while allowing them to select and use their own solutions to meet the security objective of PCI DSS, according to a release.
Indeed, since malicious code downloads and intrusions have become perhaps the more difficult challenges for financial firms in recent months, this standard is expected to better help retrieve card data. But this major update to the PCI Data Security Standard — the first since 2018 (version 3.2.1) — aims to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information, according to the PCI Security Standards Council.
“PCI DSS 4.0 is the next evolution of the PCI DSS standard,” said Sean Smith, manager for PCI advisory services at Optiv. “And, at a very high level, the total number of possible controls increases from 370 to over 500 controls. These controls are used for PCI DSS compliance assessments.”
Furthermore, the pandemic has fueled many more digital card payments as individuals and businesses opted to make more online purchases rather than deal with having to go into stores and risk COVID exposure. According to the council, other than meeting security needs and being more “flexible,” the main goals of PCI DSS 4.0 are to “promote security as a continuous process” and “enhance validation methods and procedures.”
“Even though PCI DSS 4.0 keeps the existing prescriptive method for compliance, the new version introduces an alternate option for meeting compliance: customized implementation,” according to the release from the council. “Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.”
Marc Punzirudu, field chief technology officer for PKWARE, said: “There are several reasons for the changes in PCI DSS v4.0 — to encourage business as usual, create flexibility, remove some gray areas and evolve for modern security. They were all identified as areas related to weaknesses in v3.2.1.”
Punzirudu pointed out that the three types of changes for the standard can be categorized under: structure and format, clarification and guidance, and evolving requirements.
The third is the biggest one, and the one organizations will likely focus their efforts on the most because of the changes to the controls and requirements, according to Punzirudu.
“The defined approach is the traditional method for implementation and assessing PCI scope,” Punzirudu said, “while the new customized approach allows flexibility to organizations with mature security programs, to map their information security program directly to the PCI DSS.”
The new PCI DSS standard lines up with the recently released NIST guidance on digital identities for authentications and computing management. Hence, the newest PCI standard expects to access cardholder data, account passwords for applications and systems which must be changed once a year, the use of strong passwords containing at least 15 characters that include numeric and alphabet characters, access privileges reviewed every six months and restrictions on third-party accounts.
With the introduction of this new standard, the PCI Council expects: documented responsibility requirements; targeted PCI risk requirements (with automated phishing detection required); more fortified e-commerce firewalls and better protection on payment pages; automated reviews and alerts for security information and event management (SIEM); invulnerability scanning, data governance and incident response; longer and more complex passwords (12 characters than 7, etc) and enforced rotation of passwords every three months, as well as the enforced use of multi-factor authentication.
For the immediate future, the previous PCI DSS version 3.2.1 will continue as the standard, until it is retired at the end of the first quarter of 2024; and even them, PCI DSS 4.0 includes several hold-over practices or controls that will stay in place through the first quarter of 2025, according to Smith.
“The sooner gaps are identified in meeting PCI DSS 4.0 requirements, the sooner projects can be planned, budgets requested, and work can begin address compliance gaps," Smith said.
