Digital transformation has changed the way people make purchases. The growth of ecommerce has led to credit cards becoming one of the most widely used payment methods, but mismanagement could jeopardize the integrity and security of company and customer data.
There are thousands of threats to online transactions. The volume of transactions made in 2022 reached $624.860 billion, up 7.5% from 2021, and these transactions are expected to generate more than $891 million by 2027, according to several reports from Nilson, which means companies need to apply strict security measures to safeguard cardholders’ personal and banking data in the systems. Increasing the adoption of safe payments is the mission of the Payment Card Industry Data Security Standards Council (PCI DSS), a global payments security forum created in 2004 that administers security standards, policies, network architecture, software design and other critical measures to protect credit and debit card transactions against data theft and fraud. Although currently at version 3.2.1, in March 2022 it introduced its latest version 4.0, which organizations must comply with by March 2025.
During this transition period, it is important for companies to familiarize themselves with the changes and implement the security practices and recommendations needed to comply with the regulations when they come into effect.
Key changes in version 4.0
The PCI DSS establishes 64 new requirements, of which 11 apply to service providers, 53 apply to all entities and 51 are considered best practices. The most significant changes are as follows:
- Customization and implementation flexibility:
The updated version allows for customized implementation, giving companies greater flexibility to meet requirements. Companies can design their own controls, as long as they can justify their effectiveness in meeting specific requirements. They can choose between the existing prescriptive implementation or the new customized implementation, removing the option of using compensating controls.
- Multi-factor authentication (MFA):
PCI DSS makes multi-factor authentication (MFA) compulsory for administrator access to the cardholder data environment (CDE), as well as during remote access. Enabling MFA provides a strong layer of access control, which helps protect identities and access to systems that process sensitive data.
- Increased emphasis on data encryption:
The new standard requires encryption of stored authentication data due to the rise in the number of data breach incidents and new vulnerabilities. In version 3.2.1, encryption was simply a recommendation.
- Extension of DESV (Designated Entities Supplemental Validation):
In the previous version, only entities that had experienced security incidents or met certain criteria established by the Council had to comply with additional requirements. In version 4.0, these requirements apply to all entities, particularly those related to the periodic review of critical controls.
- Threat management:
This involves the identification and management of potential risks affecting the security of cardholder data. Constant threat monitoring of both the network and devices storing and transmitting cardholder data, as well as patch management measures, must be implemented as part of best practices to address this ongoing risk. Endpoint security solutions deliver services to protect payment devices and any sensitive information associated with them.
- Rogue Access Point detection:
The new standard requires rogue access point detection as part of all networks where cardholder data is stored or in transit, even if that network does not include wireless connectivity itself. In version 3.2.1, rogue access point detection was only required when wireless connectivity was in use.
How to prepare for PCI DSS 4 compliance?
Getting started with PCI DSS 4.0 compliance requires a series of steps to ensure the process is completed efficiently. First, companies should conduct a thorough assessment to detect any deficiencies in their current systems, and they need to understand and evaluate the infrastructure and processes related to the handling of payment card data.
Second, companies must implement robust security measures to enhance payment processes. How can they do this?
Ensuring security: securing the network with data encryption, network and firewall security, and web application filtering.
Monitoring for threats: implementing wireless rogue access point detection solutions and endpoint security solutions that enable constant threat monitoring and perform patch management.
Protecting the payment experience: enabling MFA to provide a strong layer of access control to help protect identities and access to systems that process sensitive data.
Finally, they need to engage a certified auditor or qualified security consultant to conduct a compliance review.
The new regulations outline the general points regarding cardholder personal and banking data protection. But organizations should also customize security controls in line with their specific circumstances and needs. Our White Paper - Meeting PCI DSS with WatchGuard provides a straightforward review of PCI requirements, with a deep dive into the technology companies need to implement to ensure compliance.