A new version of the Payment Card Industry (PCI) Data Security Standard (DSS), a set of security standards developed to protect cardholder data and ensure the secure processing of payment, will become mandatory as of 1 April 2024. Version 4 completely replaces version 3.2.1 and introduces several significant changes that aim to enhance data security and address evolving threats. These include a risk-based approach, enhanced flexibility, scalability and alignment with modern security practices, and greater emphasis on education and security awareness across the board. These new requirements have a significant impact on any business that handles card payment information, and organisations need to be prepared ahead of time to ensure compliance when the old version of the standard is retired on 31 March 2024.
The key changes
There are a total of 49 new requirements in PCI DSS 4 and 64 total changes ranging from evolving requirements, clarification or guidance and structure or format of the Standard, All changes are designed to ensure that the standard evolves and continues to meet the changing requirements of the payment card industry. The aim is to promote security as a continuous process, rather than a once-off exercise, and as such, the new standard incorporates a more flexible approach “Customized Approach” as enhanced way for entities to meet the security objective of the control that addresses the risk and alternative validation methods for auditors.
Certain security controls will become mandatory, including Web application firewalls and Multi-Factor Authentication (MFA) for all interactions relating to cardholder data. Other elements include changes to password requirements to enhance security, authentication of internal vulnerability assessments and an increased emphasis on security awareness, particularly around phishing and social engineering. Training will also become mandatory for all employees under the new version of the standard. In addition, automation of log reviews has become a requirement, as there is simply far too much data for effective manual reviews.
Security is a journey, not a destination
It’s important to understand that achieving and maintaining PCI DSS compliance is not a one-time event or a fixed state. It’s an ongoing process that requires continuous effort, monitoring, and improvement. Here’s why security is considered a journey.
Cybersecurity threats and attack techniques in the payment card space has evolved significantly as more businesses have moved online, and security as a continuous process has become essential to protect payment data, which has become an increasingly attractive target for cybercriminals. PCI DSS 4 aims to address this by mandating clearly defined and assigned roles and responsibilities for each requirement, for merchants as well as third-party service providers. The new standard also provides additional guidance to help entities better understand how to implement and maintain security.
Because security can no longer be a static framework, the new version of the standard also increases flexibility for organisations that use various methods to achieve their security objectives. This supports payment technology innovation and gives organisations the ability to adapt their security practices through targeted risk assessments and analysis. To support this, the customised approach offers enhanced validation methods and procedures.
Don’t go at it alone
With all of the new recommendations and requirements introduced in PCI DSS 4, it can be challenging to understand how it applies to your business. This is particularly true when it comes to cloud-based and hybrid environments, which add a layer of complexity. While it is possible to do this in-house if you have an internal security auditor, for the majority of businesses this is simply not the case, and even so, would require a heavy lift in terms of understanding and interpreting the changes. Enlisting the help of a Qualified Security Assessor (QSA) can help to ease the transition and ensure that all areas are effectively covered.
A QSA can take you through a gap analysis to identify where changes to the standard will have an effect and require changes to be made. From there, they can compile a roadmap to remediate gaps and align with Version 4 ready for its implementation. This is important in helping to clarify scope and understand the requirements for meeting the new standards, in terms of both process and technology. A QSA will also be able to conduct a mock audit to validate any changes made and ensure they can be adjusted and adapted to align with the new standard.