Save 1

In the first half of 2024, £571 million was lost to card payment fraud in the UK alone, with a significant portion of these scams originating on social media platforms. Traditionally, data breaches occurred within isolated systems or networks. However, the fraud we are seeing today is increasingly sophisticated, exploiting vulnerabilities across the entire digital ecosystem.

While the rise of new e-commerce environments and the expansion of digital platforms have brought convenience and a wider range of payment methods, they have also introduced additional challenges for securing sensitive information. As cybercriminals adapt to emerging technologies, standards that govern the ecosytems needed to evolve to address new vulnerabilities and provide robust protection for cardholder data in an increasingly interconnected world.

One such standard is PCI DSS. Indeed, all merchants around the world , regardless of size, must comply with the Payment Card Industry Data Security Standards (PCI DSS) when setting up a merchant account in order to safeguard payment card data before, during, and after a purchase is made. The standard is intended for all entities involved in payment card processing not just the merchants but processors, acquirers, issuers, and service providers all have to comply.

The Payment Card Industry Data Security Standard (PCI DSS) was initially launched in December 2004. It was developed jointly by major card brands—Visa, Mastercard, American Express, Discover, and JCB—under the Payment Card Industry Security Standards Council (PCI SSC) to create a unified set of security standards for protecting cardholder data. Over the past two decades, PCI DSS has played a crucial role in enhancing payment security. However, the rise of social media-related fraud and the emergence of new technologies underscore the need for its continuous evolution.

To address these threats, the PCI Security Standards Council (PCI SSC) has gradually introduced updates to the standards, culminating in the release of PCI DSS version 4.0. PCI DSS v4.0 marks the first major update to the standards in over a decade.

The PCI DSS (Payment Card Industry Data Security Standard) has 12 core requirements, which are the foundational principles that all entities handling cardholder data must follow to ensure security. These requirements cover various aspects such as detailed security measures, corresponding testing procedures, and additional guidance for conducting and reporting assessments and focus on key areas such as encryption, authentication, network segmentation, and vulnerability testing to ensure comprehensive data protection.

However, within these 12 core requirements, which form the backbone of PCI DSS, there are additional sub-requirements and testing procedures. For PCI DSS version 4.x, there are 64 new individual requirements, including future-dated ones that will become mandatory by March 31, 2025. These new requirements build on the original 12 and reflect updated security measures to address modern threats.

What are the Key Changes in PCI DSS v4.0
The move to PCI DSS version 4.0 is very important for businesses in the payment industry.

One of the key changes in v4.0 is the introduction of a flexible compliance approach. Indeed version 4.0 introduces a customized approach to compliance, allowing organizations to define their own security controls as long as they meet the intent of the requirements.This provides flexibility but demands detailed documentation and justification for the chosen methods.

1. Emphasis on Risk-Based Approaches

One of the key changes in v4.0 is the introduction of a flexible compliance approach.Indeed, PCI DSS v4.0 introduces a customized approach to compliance, allowing organizations to implement their own security controls to meet the intent of the standard’s requirements. This shift emphasizes the importance of context-specific solutions over rigid adherence to predefined methods.

• What it means: Organizations can design controls that are better suited to their unique environments, as long as they:
  • Demonstrate how these controls meet the intent of the PCI DSS requirement.
  • Provide documentation outlining their design, implementation, and effectiveness.
• Key challenges:
  • Requires robust internal expertise to design and justify custom controls.
  • Auditors will demand detailed evidence, such as technical documentation, testing results, and monitoring logs.
• Advantages:
  • Greater flexibility for innovative security practices.
  • Reduces unnecessary compliance burdens in areas where predefined controls may not apply.

2. Updated Requirements for Authentication

Authentication requirements have been strengthened to address the growing risks of credential-based attacks.

• Stronger Multi-Factor Authentication (MFA):
  • MFA is now required for all accounts with access to the Cardholder Data Environment (CDE), including:
    • Administrative accounts.
    • Remote access accounts.
    • Third-party vendor access.
  • MFA must involve at least two independent factors from the following categories:
    • Something you know (e.g., a password).
    • Something you have (e.g., a token or smartphone app).
    • Something you are (e.g., biometric verification).
• Enhanced Remote Access Security:
  • Non-console administrative access (e.g., accessing systems remotely via RDP or SSH) must also use MFA.
  • Access control must include logging and real-time monitoring.
    
    This essentially means that This means:
  • An employee logging into a system must provide two forms of authentication, such as a password (something they know) and a code from their phone (something they have).
  • If a third-party vendor accesses the system remotely, they must also use MFA.

3. More Frequent Testing

PCI DSS v4.0 emphasizes the need for continuous security validation to keep pace with dynamic threat environments.

• Key updates:
  • Vulnerability Scanning: Must be performed more frequently and include all systems within the PCI scope.
  • Penetration Testing: Expanded to include both external and internal tests that simulate potential attacks.
  • Segmentation Testing: Regular tests are required to ensure that CDE segmentation is effective in isolating sensitive data from other systems. As a reminder, the Cardholder Data Environment includes all systems, applications, and processes that store, process, or transmit payment card data. Segmentation involves creating boundaries between the CDE and other systems within the network to minimize the risk of unauthorized access or data breaches.
• Impact:
  • Encourages proactive identification of vulnerabilities before they are exploited.
  • Ensures compliance in real-time, rather than periodic reviews.

4. Encryption Enhancements

To protect cardholder data, PCI DSS v4.0 introduces stricter requirements for encryption and cryptographic key management.

• Encryption Protocols:
  • Organizations must adopt modern encryption algorithms, such as AES-256 or higher.Encryption algorithms like AES-256 (Advanced Encryption Standard – 256-bit) are used to secure sensitive data, such as payment card information, by converting it into an unreadable format that can only be decrypted with a specific key.
  • What AES-256 Means:
    The “256” refers to the length of the encryption key in bits. A longer key means a higher level of security, as it makes it exponentially harder for attackers to break the encryption. AES-256 is widely regarded as a gold standard in encryption because of its:
  • Deprecated protocols like TLS 1.0/1.1 must be phased out entirely. TLS (Transport Layer Security) is a protocol used to secure communications over the internet, such as between a browser and a website or a payment terminal and a server. TLS ensures data is encrypted during transmission, protecting it from interception
• Key Management:
  • Enforces stricter controls over cryptographic key generation, distribution, and storage.
  • Requires the use of hardware security modules (HSMs) or equivalent solutions for high-risk environments.
• Key takeaways:
  • Stronger encryption reduces the risk of data exposure during breaches.
  • Enhanced key management practices prevent unauthorized access to encrypted data.

5. Expanded Awareness and Training

Security awareness has been broadened to include new educational components and accountability for all stakeholders.

• Phishing Simulations:
  • Organizations must conduct regular phishing simulations to test and improve employee awareness.
  • Results should inform tailored training programs to address gaps.
• Expanded Training Scope:
  • Training must now include specific roles and responsibilities related to compliance, such as incident response or access management.
  • Vendor and third-party awareness programs are required for any external entities interacting with the CDE.
• Why this matters:
  • Human error remains one of the leading causes of breaches, and robust training reduces this risk.
  • Role-specific training ensures everyone understands their contribution to compliance.

6. Automated Monitoring

PCI DSS v4.0 encourages the use of automation tools to improve real-time compliance monitoring and reduce manual errors.

• What’s new:
  • Automated solutions should track and alert for anomalies, such as unauthorized access attempts or unusual data flow.
  • Monitoring must extend to all assets within the PCI scope, including:
    • Network devices.
    • Servers.
    • Endpoints.
• Advantages:
  • Provides immediate visibility into compliance gaps.
  • Frees up resources previously spent on manual monitoring and reporting.
• Examples of tools:
  • Security Information and Event Management (SIEM) systems.
  • Real-time log analysis tools.
  • Automated vulnerability management platforms.
    

Roles and Responsibilities:
In PCI DSS v3.2.1, roles and responsibilities were implied but not explicitly emphasized. Responsibility assignment was often treated as a best practice rather than a formalized requirement. PCI DSS v4.x places strong emphasis on defining, documenting, and communicating roles and responsibilities. Employees must be trained on their specific roles, ensuring no gaps in security due to staff turnover, vacations, or other changes. This update shifts from an informal approach to a structured process, reducing the risks posed by unclear accountability.

Annual Scope Confirmation:
In PCI DSS v3.2.1, scope confirmation was expected as part of compliance but was not a formal, recurring requirement. Organizations often assessed scope inconsistently, leading to missed vulnerabilities. PCI DSS v4.x introduces an explicit requirement for businesses to confirm their compliance scope annually. This ensures businesses thoroughly evaluate all systems and processes handling cardholder data, reducing the risk of leaving vulnerabilities unaddressed. Scoping becomes a proactive and consistent process, aligning with the evolving complexities of modern payment systems.

Vulnerability Scans for E-Commerce Merchants (SAQ A):
In PCI DSS v3.2.1, e-commerce merchants completing SAQ A were not explicitly required to conduct regular vulnerability scans using Approved Scanning Vendors (ASVs). The responsibility for such scans often depended on third-party service providers managing the e-commerce platforms. PCI DSS v4.x mandates that merchants completing SAQ A perform vulnerability scans every three months via an ASV, even if third-party providers manage their platforms. Clear documentation is required to ensure these scans are conducted on behalf of merchants, addressing security across the e-commerce environment. This new requirement reflects the growing risks associated with e-commerce and the supply chain.

Improved Supply Chain Security:
PCI DSS v3.2.1 encouraged using PCI-compliant third-party providers but did not explicitly focus on supply chain security. PCI DSS v4.x highlights the importance of supply chain security, emphasizing the need to use PCI-compliant third-party service providers (TPSPs). It recognizes the increasing reliance on third-party solutions and the risks of malware and data breaches stemming from supply chain vulnerabilities. Businesses are encouraged to actively assess and monitor the compliance of their TPSPs.

These updates ensure that PCI DSS v4.x is better aligned with modern payment technologies and the increasingly sophisticated tactics used by cybercriminals. They aim to strengthen payment security by addressing the gaps and vulnerabilities that were less rigorously enforced under PCI DSS v3.2.1.

How PCI DSS v4.0 Benefits Organizations

The changes introduced in PCI DSS v4.0 reflect a shift toward more dynamic, risk-based security practices, with:

• Improved adaptability to evolving threats.
• Reduced risk of breaches through stronger authentication and encryption.
• Greater efficiency with automated monitoring and testing.

The transition to v4.0, while requiring upfront effort, will help organizations future-proof their payment security infrastructure and build greater trust with customers and stakeholders.

PCI compliance is not a one-time task, but a continuous process aimed at increasing consumer protection against cyber threats through a set

Although PCI compliance isn’t mandated by law, failing to comply with PCI DSS version 4.0 can result in investigations, fines, and penalties, especially if a data breach occurs after the new standard becomes mandatory. Noncompliance significantly increases the financial and reputational damage after a breach, as card issuers may require merchants to pay the cost of reissuing affected credit cards and covering fraudulent charges. If preventive measures aren’t taken, a company may lose its reputation or go bankrupt.

Save 1