PCI DSS is getting a long-awaited makeover and banking institutions need to take note. Sure, banks should be in a good stead to meet PCI compliance, given that they already have to contend with a range of strict data privacy regulations and auditing requirements, such as the GBLA, SOX and regular audits from the FDIC and NCUA.
However, despite some overlap between these different standards, PCI DSS is very much its own regulation. Complying with it requires extensive planning and investment.
Even for those banks who felt confident in PCI compliance up until now, the new version will require some big adjustments.
With that in mind, below, we’ll help banks understand everything they need to know about PCI DSS 4.0, which comes into force on April 1, 2024.
Why is PCI DSS 4.0 relevant to banks?
PCI DSS is of inherent interest to banking institutions–especially acquirers. All acquirers know they have significant responsibilities under the standard about merchants, including determining reporting methods and enforcing compliance.
Under PCI DSS 4.0, this hasn’t changed per se, but acquirer duties have become more complex and nuanced. Similarly, for issuing banks, PCI DSS contains some major updates that require attention.
On top of this, it’s vital to remember that achieving PCI DSS is by no means an easy feat. Verizon research from 2020 found that less than 30% of organizations maintained full compliance with PCI DSS.
Clearly, banks are struggling to both enforce and meet the controls of the standard.
While the new version is far from straightforward to implement, the investment is well worth it–not just to avoid monetary penalties, but also to reduce the risks of data leakage, data theft and maintain customer trust.
What’s new in PCI DSS 4.0?
Preparing for PCI DSS 4.0 will take work. The standard includes new controls and processes that most banks have yet to implement, including:
- Disk-level encryption is no longer enables as the only option to protect stored cardholder data
- New requirement for keyed cryptographic hashes
- New requirement to deploy automated technical solutions for web applications to discover and prohibit web-based attacks
- More stringent multi-factor authentication controls
- Greater flexibility with regards to how organizations show how they’re using different methods to meet security objectives
- Acquirers will need to conduct targeted and regular risk analysis activities, which should provide more flexibility
You can view the full range of updates here. While the list can seem overwhelming at first, you still have time to get to work on implementing the changes.
Because some updates involve adopting cyclical requirements, they will probably take more time and effort to integrate fully. Being proactive and getting ahead of the deadline is vital–both for you and, where applicable, your merchants.
Of course, not all banks operate in the same way. Some perform their own merchant activities, and others are considered acquirers. Below, we’ll explore how each type of entity can begin moving towards PCI DSS 4.0.
For banks that perform their own merchant activities
Banks that perform their own merchant activities should take the following steps to get onto the road towards compliance:
- Undertake a readiness assessment to determine gaps between where you are now and where you need to get to
- Create, if you haven’t already, a dedicated compliance team who will drive control adoption against a project timeline
- Embrace a mindset shift; the new version of PCI aims to move away checkbox compliance to 24/7, real-time security
- Assess whether a customized approach could be right for your organization
- Begin mapping out documentation–policies and procedures–alongside implementing technical and security requirements
For acquiring banks
Acquiring banks will need to carry out all the above duties and then some. They’re not just responsible for their own institution’s compliance, but for that of the merchants and service providers they work with.
As a result, acquirers will also need to arrange the following with merchants and service providers:
- Liaise with each to understand more about their schedule for complying with the new iteration of PCI DSS
- Learn more about their risk management policies and processes
- Ask for them to return a self-assessment questionnaire, detailing the gaps in PCI DSS v4 compliance and their proposed strategy to plug these with timelines included
- Encourage them to take a readiness assessment sooner rather than later so that they’re compliant well ahead of the deadline
Simplifying PCI compliance with Polymer DLP
PCI DSS requires that certain types of cardholder data and authentication data are only stored in encrypted form and in in-scope systems. Polymer data loss prevention (DLP) uses the power of AI and natural language processing to discover, find and redact this information in your cloud apps, ensuring that no PCI is unlawfully shared or accessed.
With Polymer DLP, banks, merchants and service providers no longer have to worry about cardholder data exposure in the cloud. Plus, with highly granular auditing and detailed event mapping, compliance teams have multiple ways of monitoring and applying compliance protocols.
Concerned about what cardholder data could be lurking in your cloud environments? Try a free Polymer risk scan today to find out.