A new version of the Payment Card Industry Data Security Standard, PCI DSS 4.0, was released on March 31, 2022, the first major update to the standard since 2018. As the news release states, the update “brings major changes to the payments ecosystem” and “places an increased focus on targeted risk analysis, organizational maturity and governance.”
PCI DSS 4.0 addresses the changing technology landscape, most notably the pandemic-driven surge in online transactions, point-of-sale device adoption and the use of cloud platforms for storing cardholder data. The update also takes on an evolving threat climate that increasingly targets these tools and environments. It recognizes that payment data continues to be the most sought-after prize for threat actors, who are now targeting web applications more than point-of-sale devices.
Major Updates in PCI DSS 4.0
The general goals of PCI DSS 4.0 are to:
- Make sure the standard meets current security needs.
- Provide additional flexibility and support to meet those needs.
- Make compliance a continuous process rather than an annual audit.
- Improve procedures for validating compliance.
While the previous standard allowed merchants and service providers to implement and justify controls if the prescribed controls of the standard could not be met, PCI DSS 4.0 adds the option to develop a customized control approach that meets the same objectives. In other words, if you don’t like their way, you can develop your own solution as long as you can demonstrate the ability of “compensating controls” to meet current compliance requirements.
PCI DSS 4.0 also increases requirements for identity and access management and data encryption. Multifactor authentication is now required for all accounts that can access cardholder data. Access privileges must be reviewed at least every six months. Encryption of cardholder data has been expanded to include trusted networks. These updates reflect an increased emphasis on zero-trust security.
Why You Should Start Planning Now to Achieve Compliance
If you accept credit and debit cards or handle cardholder data, you need to comply with the new standard. However, compliance has actually declined, according to the Verizon 2020 Payment Security Report. In fact, just 27.9 percent of organizations achieved full compliance in 2019, down 8.8 points from 2018. Noncompliant companies point to a lack of resources, lack of commitment from leadership, and a disconnect between data security strategy and business strategy.
However, noncompliance can be costly if a data breach occurs. Penalties range from $5,000 to $10,000 per month for one to three months of noncompliance to $50,000-$100,000 per month for seven months or more. That doesn’t even include the cost of compensation for customers, potential lawsuits stemming from noncompliance, or the increased risk of customer churn.
Many PCI DSS 4.0 changes are best practices until March 31, 2025. Given the sad state of compliance, organizations should begin taking steps to meet the new requirements.
Verteks Can Help
PCI compliance is not about quick fixes that will inevitably fail due to changes in technology and the threat climate. It’s about developing a long-term strategy for maintaining compliance and ensuring that cardholder data is protected.
Use a next-generation firewall and intrusion prevention system to guard the network perimeter. Continuously monitor your network for suspicious activity. Update anti-malware software, implement advanced encryption systems, back up your data offline and off-site, and beef up your user authentication requirements.
PCI compliance was already complex and these new changes aren’t making it any simpler. Verteks can help you develop a compliance plan so that you’re not scrambling at the last minute when best practices become requirements. Contact us today to get the ball rolling.
