This latest version has made a lot of significant changes for those using the cyber security standard and has fundamentally shifted its focus to a series of more outcome-based requirements.
The previous version, 3.2.1, was published way back in 2018, several years before the COVID-19 pandemic. Both consumer and cybercriminal behaviours and changed dramatically since then, leading to PCI DSS being unsuitable for modern organisations.
Online transactions have risen, technology has changed, and cloud platforms have become much more prevalent in the past 4 years, as have the techniques that attackers use to compromise them. The PCI SSC has updated DSS to combat these new challenges and ensure that all organisations under their standard are prepared for any kind of attack.
What is PCI DSS?
PCI DSS is an established information security standard utilised by organisations involved in the transmission, processing, and storage of sensitive payment information. The standard has been designed to improve the cyber security of these organisations, as well as the associated payment transactions and storage mediums that they employ.
The ultimate goal of PCI DSS is to reduce the rate of payment fraud that these organisations and their consumers experience. In recent updates, they have endeavoured to focus more on the security of storage mediums, such as on-premises and cloud solutions, to reduce the likelihood that these businesses will suffer a data breach.
What is new in PCI DSS 4.0?
Whilst the 12 core principles/requirements behind PCI DSS have not changed due to the 4.0 update, the requirements have been redesigned. The PCI SSC has stated that they remain a critical foundation for securing payment card data, but that the requirements needed to be amended to bring them up to a post-pandemic state.
There are several key goals that the SSC have stated for PCI DSS 4.0:
Promote cyber security as a continuous and evolving process.
Ensure that PCI DSS continues to meet the security needs of the payments industry and its associated organisations.
Add flexibility and support for additional methodologies to achieve effective cyber security.
Improve validation methods and procedures.
Version 4.0 also introduces a new way for organisations to meet compliance requirements: customised implementation. As opposed to the traditional prescriptive method, customised implementation allows businesses to design their own security controls to meet the requirements of PCI DSS. This makes it much easier for organisations with untraditional procedures to gain certification.
Multifactor authentication (MFA) for all accounts that have access to sensitive financial and cardholder information.
Regular updating/changing of passwords for any accounts that utilise sensitive applications and systems, especially when it is suspected that these systems have been compromised.
Passwords for all accounts should be strong, containing at least 15 characters and including both numeric and alphabetic characters of both upper and lower case.
Access privileges should be reviewed by organisations at least once every 6 months.
Whilst this list isn’t exhaustive, as PCI DSS 4.0 is such a monumental and overarching update to the certification, we have covered some of the most important changes here. For more information, make sure you visit the PCI SSC website.
Does your business require PCI DSS 4.0 compliance? Are there certain aspects of the standard that you are struggling to meet? Do you require a particular cyber security system to achieve compliance? Get in touch with us. At Wizard Cyber, we can provide support for a wide variety of managed and non-managed cyber security services and products.