This time next year, PCI DSS 4.0 will come fully into effect, replacing the current standard, 3.2. 1, that has been in place since 2018.
PCI SSC’s newest version shouldn’t come as a surprise to most. It was first released in March 2022. But with a two year grace period to allow vendors and credit card companies to adapt, many companies that fall under PCI have put off updating their systems, policies and procedures.
Now, time is of the essence. Meeting the requirements of PCI 4.0 is not achievable overnight. Merchants and service providers should act urgently to ensure they’re compliant by March 2024.
With that in mind, here’s everything you need to know about PCI-DSS 4.0.
Why is PCI releasing an update?
Standard version 3.2.1 of PCI DSS has been in place for a little over five years now, since 2018. As we all know, a lot has gone on since then—most notably the pandemic, which accelerated the move to online payments, e-commerce and digital banking.
As the world becomes more tech-driven and payment solutions evolve, PCI needs to keep up with the pace of change. Otherwise, people’s credit card data could be at risk.
Moreover, just as digital payment solutions are developing, malicious actors are continuously maturing their tactics, coming up with new and innovative ways to intercept payment card data.
To ensure merchants and service providers adequately protect this information, PCI must regularly review and update its standard to meet modern data protection requirements.
What’s new in PCI DSS 4.0?
The 12 core PCI DSS requirements remain the same in PCI DSS v4.0. These requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Now, while the requirements are fundamentally similar to the previous version of PCI DSS, the body has reengineered the control implementation process, with an increased focus on security objectives.
With that in mind, the major aims of PCI DSS 4.0 are:
- Maintain a standard that meets the security requirements of the payments industry
- Embed flexibility into the standard through customization options
- Advocate for continuous security
- Improve user authentication mechanisms
The major changes in PCI DSS 4.0
There are a total of 64 new controls in PCI DSS v.4, with 51 requirements for all organizations that come under the standard and 13 specifically for service providers. Here’s a closer look at the biggest changes in PCI DSS 4.0.
With the previous version of PCI DSS, merchants and service providers had to go through quite a laborious process when they could not meet a prescriptive control: proposing a new control, substainting their reasoning with a risk assessment and filling out a compensating control worksheet (CCW).
With PCI DSS 4.0, organizations can still go through this process, but the body has recognized there’s a better way in some instances. It has introduced a customized control approach, which enables organizations to note the use of a new control based on the fact the control is customized.
When it comes to assessment, the assessor can then assess the customized control instead of the control it is substituting. All in all, this approach provides much needed flexibility for risk-mature organizations to achieve compliance.
Robust authentication requirements
Controlling who has access to data through identity and access management (IAM) is vital to adequately protecting cardholder data. This is especially important in the cloud-first world, where employees access company resources from remote locations. Proving people are who they say they are is crucial to managing insider threats and credentials compromise.
While the standard does not use the term zero trust in of itself, the philosophy is deeply embedded throughout. Closely following NIST’s Digital Identity Guidelines: Authentication and Lifecycle Management, it mandates organizations to:
- Use Multifactor authentication (MFA) for all user accounts able to access cardholder data, rather than only administrators.
- Update passwords at a maximum of every 12 months for such accounts, and also in the event compromise is suspected.
- Use strong, difficult-to-guess passwords for these accounts. These passwords must have at least 15 characters and include a mixture of alphabetic and numeric passwords.
- Review access privileges bi-annually
- Limit vendor and third-party account access, only allowing if necessary. If such access is granted, it must be monitored consistently.
The new version widens the applicability for encrypting cardholder data on trusted networks. It also expands data discovery requirements. Organizations must now find every source and location of cleartext primary account numbers (PAN) at least annually, or every time there is a significant change to the cardholder data environment.
When we consider code injection attacks are a huge risk to ecommerce players and financial services, it’s easy to see why PCI has updated the standard in this way.
Research from Verizon shows that less than a third of organizations maintained compliance with PCI DSS in 2019. This is indicative of a wider issue relating to organizations and compliance standards. They treat the assessment as a point-in-time process, rather than viewing compliance as an ongoing endeavor.
The update sets to rectify this by focusing on the notion of continuous compliance, rather than periodic
Throughout the new controls, the emphasis is on security-by-design along with real-time monitoring and reporting. The idea being that, should an assessor check in at any time, an organization will be able to quickly and seamlessly demonstrate compliance.
The challenges of v4.0 compliance
Protecting payment cardholder data across a range of applications and environments is no easy feat. A decade ago, when organizations mainly operated on premises, it was far easier to verify users, locate data and, thus, maintain security and compliance.
But with most organizations now using cloud applications like Teams, Slack and Box, things are complex. Organizations must discover, protect and monitor sensitive data across these environments, ensuring that only authorized, legitimate users access this information – and use it in line with compliance.
Traditional security tools don’t possess the capabilities to track payment card information in these environments. Companies need to take another approach: investing in data-centric, zero-trust security tools that drive effective compliance.
How Polymer DLP helps
Polymer data loss prevention (DLP) is a cloud-based data discovery, protection and compliance solution that gives you visibility and control over cardholder data in cloud applications.
Our no-code tool takes just minutes to deploy and works to meet your compliance requirements autonomously.
Harnessing the power of natural language processing, our self-learning engine quickly discovers, classifies and secures sensitive data like PCI, PII and PHI in your cloud apps in both structured and unstructured formats.
From there, our tool deeply embeds zero trust into all data interactions, analyzing a variety of contextual factors to ensure that only authorized, legitimate users interact with your data – remediating potential compliance violations and risky actions in real-time.
While all of this is happening, Polymer DLP also automatically generates audit reports on your behalf, making it straightforward for you to demonstrate continuous compliance with assessors in just a few clicks.
Concerned about what cardholder data could be lurking in your cloud environments? Try a free Polymer risk scan today to find out.