Guidelines for implementing PCI DSS v4.0

Recent data shows that the global pandemic and the contraction of normal trading practices led to an increase in e-commerce and a consequent rise in online payments of 43%. In the US, this equated to an increase of $244.2 billion in 2020 alone. Recognising these increases, the Payment Card Industry Data Security Council updated PCI DSS v3.2.1 and on March 31st 2022, introduced PCI DSS v4.0

For those companies that manage high volumes of financial transactions using credit cards and on-line payment systems, compliance is essential. Enforcement of compliance with PCI Standards and determination of any non-compliance penalties are carried out by the individual payment brands, not by the PCI SSC. Non-compliance, system breaches and data corruption within a merchant organisation carries the threat of sanctions or expulsion from the credit card provider.

PCI DSS v4.0 will become mandatory for all organizations that process or store cardholder data by March 31st, 2024. The proliferation of online transactions isn’t the only reason the PCI Council created the v4.0 standard. Recent years have also seen a surge in cloud use, the rise of contactless payments and cybercriminals using increasingly sophisticated methods of intrusion and fraud.

PCI DSS v4.0 is intended to improve payment card industry security and mitigate against the growing threats posed by cyber criminals. Recent initiatives include:

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements to address ongoing threats

The overall intention is to promote security as a continuous process, for example;

  • Allocating clearly assigned roles and responsibilities for each requirement
  • Providing guidance to help people better understand how to implement and maintain security
  • Requirements for new reporting option to highlight areas for improvement and provide more transparency for report reviewers.

PCI DSS adds further information security requirements, hence v4.0 is a major overhaul that requires a complete refocus on the technology behind the way in which payment card data is processed, managed and secured.

If your organization isn’t up to speed on current practice, it will certainly need to apply expert resources in order to comply with the v4.0 requirements. Indeed, a shift in mindset and culture may also be needed, since compliance is not a one-off exercise, but a continuous process. The PCI DSS approach places emphasis on top-down organizational change and best practice alignment.

Guidelines for implementing PCI DSS v4.0 1

The following steps will guide your business towards attaining compliance within the allocated timeframe as well as avoiding any audit fines or publicised data breaches.

  1. Create a detailed, auditable action plan for the implementation of PCI DSS v4.0, securing buy-in and resources from senior management.
  2. Contrast PCI DSS v3.2.1 with PCI DSS v4.0 and upgrade to the new security requirements. For example, this will cover areas such as the protection of account data as opposed to the previous cardholder data. It may be necessary to restructure your network to adequately protect account data.
  3. PCI DSS v4.0 emphasises the cultivation of a security mindset within the organization. Personnel must begin to view compliance as a continuous activity that protects sensitive data more so than simply a set of tasks designed to pass audits. Security and compliance teams should work together to implement a defined process for maintaining the security of the Cardholder Data Environment (CDE), including routine reviews of configurations and security.
  4. Strengthen Security Configuration Management processes. Requirement 2 broadens the scope of SCM. Rather than focusing on vendor-defined defaults, the onus is now put on organizations to have their own security configuration program. In order to meet v4.0’s wider SCM scope, ensure that you monitor the configurations of networks, servers, firewalls, and all other components. SCM also helps auditors track compliance status over time. SCM tools help to reduce the time it takes to prepare for an audit and speed up the actual audit process as well.
  5. Software solutions: The best way to achieve continuous PCI DSS v4.0 compliance is to deploy a total, software solution that supports the new, v4.0 controls, checks SCM and ensures that all assets are held securely. The 27k1 ISMS Enterprise Application has been developed with assistance from PCI DSS industry experts and will readily support compliance to PCI DSS v4.0.