If you are a merchant or service provider, then you may know about the changes coming for the Payment Card Industry Data Security Standard (PCI DSS) in Version 4.0 coming into effect from April 1st, 2024.
The Council periodically reviews and updates PCI DSS to ensure it continues to protect against old threats and new emerging threats.
PCI DSS is more than just about cardholder data; it extends to protecting any sensitive data within an organization. While initially focusing on cardholder account data, it now covers a broader range of sensitive information, including names and addresses. This standard applies to any entity involved in processing cardholder data, even if this processing is outsourced.
The transition from version 3.2.1 to 4.0 is a pivotal phase. Version 4.0 is already available for assessment, alongside version 3.2.1, which remains in effect. However, by March 31st of the following year, version 3.2.1 will be officially retired, and only version 4.0 assessments will be conducted.
Version 4.0 reflects evolving technology and emerging threats, particularly pertinent to E-commerce. Notably, cloud technology is referenced over 40 times, highlighting its prominence in today’s landscape. Moreover, version 4.0 emphasizes the need for flexibility in implementing security measures, allowing merchants to tailor solutions to their unique circumstances.
3.3.2 - Encryption of Sensitive Authentication Data (SAD): All SAD, including CVV, must be encrypted, regardless of whether the primary account number (PAN) is present. This requirement ensures heightened security in handling authentication data.
5.4.1 - Protection Against Phishing Attacks: Implement an automated phishing protection mechanism to reduce the risk of falling prey to phishing attempts. This measure fortifies defenses against social engineering threats, reducing potential vectors for malware and ransomware attacks.
6.4.3 - Managing Payment Page Scripts: Merchants must maintain an inventory of all scripts on their E-commerce payment pages. This includes ensuring the integrity of each script to prevent unauthorized modifications and verifying their authorization and execution.
8.3.6 - Password Length Requirement: Passwords of users and administrators accessing the cardholder data must be a minimum of 12 characters. Encourage the use of passphrases for added security.
11.3.1.2 - Authenticated Internal Vulnerability Scans: When conducting internal vulnerability scans, authentication should be employed. This enhances the accuracy and detail of vulnerability assessments, providing a comprehensive view of potential security risks.
11.6.1 - Detect changes of HTTP headers & Payment Pages: A change and tamper detection mechanism must be implemented to ensure unauthorized modifications are quickly reported to security personnel to maintain security.
12.5.2 - Verification of PCI Scope every 12 months: Merchants with cardholder data environments (CDEs) must periodically verify their PCI scope. This involves identifying data flows, documenting storage methods, encryption, and access controls, as well as assessing any changes that may impact security.
Familiarize yourself with Version 4.0: Understand the changes from 3.2.1 to version 4.0 thoroughly. Utilize the resources provided by the PCI Security Standards Council for detailed insights.
Assess Impact on Your Organization: Evaluate how the new requirements will affect your existing information security program. Identify the potential changes, and plan accordingly.
Consider Automation Solutions: Given the complexity of compliance, consider utilizing automated solutions for tracking scripts, ensuring payment page integrity, and managing vulnerability scans.
Stay Informed and Document Changes: Stay updated with PCI DSS developments and document any changes made in response to the new requirements. Consistent documentation is essential for demonstrating compliance.
Merchants may seamlessly handle the switch to PCI DSS 4.0 by being well-prepared and having a thorough awareness of the new criteria. This will guarantee ongoing cardholder data safety and adherence to industry standards.
Since PCI's inception, we have assisted merchants with compliance by offering managed network security solutions that are both cost-effective and easy to understand.
Your focus should remain on running your business, not worrying about the status of your compliance. For more information on PCI Compliance, visit our compliance support resource.
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.