Posted by: Mike Clarke
PCI DSS 4.0 Latest Updates
The Payment Card Industry Data Security Standards version 4 will be released in Q1 of 2022 (subject to change). This release is the first significant overhaul of the PCI DSS framework since 2015 and due to the changes in technology in that timeframe the changes to requirements are substantial.
As with previous iterations, its contents are presented as guidance as opposed to hard and fast rules, and not all sections will apply to you. The PCI DSS requirements cover storing, processing, and transmitting payment card information. You may utilise technology that puts most of this onto a third party or handles fewer elements internally but you are still responsible for ensuring that your responsibilities are being met.
The most significant change is in perspective; rather than focusing on the 12 requirements, these have been changed to 6 objectives.
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Hidden behind each of these headings however, is a large and complex topic, with far more information than you can safely consume from an individual article. That said, we can share the basic principles; so that you can start to prepare appropriately for PCI DSS 4.0 when it goes live.
What Does This All Mean?
The PCI DSS 4.0 recognises that how you process payments is just one element within a much larger environment that you operate within. As a result of this, a preset textbook solution is no longer viable. They acknowledge that each organisation has unique circumstances, and you can demonstrate compliance by showing that your technical solution is designed to achieve the intent of the regulations, which is to ensure the secure transaction and storage of data to facilitate payments.
This will put a much sharper focus on company policies and processes to ensure that your technology solutions are routinely reviewed and that you have safeguards to ensure they operate as anticipated. You will potentially have to demonstrate your compliance with an external auditor, so everything needs to be documented clearly to ensure they can see how your bespoke solution addresses their concerns based on your unique situation.
If we look at Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) as an example, these are both methods of adding an extra layer of security. These methods have been around for years, but you need to determine when it is a suitable time to adopt this technology. At this stage MFA is becoming a standard, so if you opt not to use it you would need to provide a justification for not implementing this security measure.
How Should You Proceed?
Firstly, follow the guidance in our previous article as a baseline.
You then need to perform a risk analysis on your business, and this needs to be done routinely to reassess threats, so set it up as a recurring task. Identification of threats is step one; next you will need to ensure you plug any gaps with new security measures as technology and the nature of the identified threats evolves.
You also need to identify experts in your field or companies you can turn to for guidance. Having people with a shared experience but a different perspective is an invaluable tool in building your security framework.
At Greenlight, we provide regular updates on security and regulation and provide this information free of charge to assist you in preparing your business for the challenges ahead. We are happy to help if you have any specific queries, so reach out if you need a hand.