Deadline approaching for compliance with new payment card security standards.
Cash is no longer king. Card payments now account for more than 80 percent of consumer transactions in the U.S., and more than two-thirds of Americans say it is likely that the U.S. will become a fully cashless society during their lives. Predictably, malicious actors are capitalizing on this transition with a range of attacks targeting card transactions.
Payment card fraud losses worldwide exceeded $32 billion in 2021, according to the Nilson Report. Over the next 10 years, accumulated losses are expected to approach $400 billion, with nearly half occurring in the U.S.
The latest version of the Payment Card Industry Data Security Standard (PCI DSS) attempts to address the increased risk with several revised security controls. PCI DSS 4.0, which goes into effect on March 31, 2024, will provide updated guidance on implementing security controls, including increased focus on network security, encryption and validation methods.
Changing Emphasis
Although the standard’s 12 key requirements remain unchanged, PCI DSS 4.0 will include important adjustments to address significant changes to the business, technology and security landscapes. Key changes include:
- Increased support for multifactor authentication (MFA) for all access into the cardholder data environment.
- Passwords must be increased from a minimum length of seven characters to a minimum length of 12 characters, and passwords must be changed at least once every 90 days.
- Greater focus on using encryption and network security to protect customer card data during transmission.
- Increased emphasis on the use of filtering technologies to block phishing emails and other types of malware before they reach personnel.
Perhaps the most notable change is support for alternative implementation options that will give organizations greater leeway in how they design and apply essential security measures. The new version will allow covered entities to design and implement customized security controls instead of requiring rigid conformity with traditional requirements.
“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, senior vice president and standards office for the PCI Security Standards Council (PCI SSC). “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”
