The Payment Card Industry Data Security Standard (PCI DSS) is one of the most widely applicable data security regulations.  Any organization that processes payment card information, which includes merchants accepting credit and debit cards for transactions, is subject to the regulation. 

In March 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS.  This major version change officially replaces PCI DSS v3.2.1 effective March 2024, providing organizations with adequate lead time to update to the new version.  Also included in version 4.0 are requirements that are new to the PCI DSS framework, and are considered best practice until March 31, 2025.  After this date, all new requirements must be fully considered as part of an organization’s annual compliance assessment. 

Major Changes Introduced with PCI DSS v4.0 

The update to PCI DSS v4.0 includes varying degrees of changes to all twelve of the PCI DSS requirements.  The major changes to the standard focus on protecting against the most common attacks that organizations face, including account takeover attacks and automated attacks against an organization’s web applications. 

User Authentication 

Organizations are increasingly moving to cloud-based environments to support their payment card operations.  These environments are under increased attacks as they can be easier for cybercriminals to access and take advantage of compromised user credentials.  For this reason, one of the major focuses of the update to PCI DSS v4.0 is stronger user authentication.  Some of the new requirements include: 

  • Multifactor authentication (MFA) is required for all access to an organization’s cardholder data environment (CDE) 
  • Passwords must be changed after suspected compromise 
  • Passwords must be at least twelve characters long (previously seven) and include numeric and alphabetic characters 
  • Passwords should be tested against known weak or common passwords 
  • User account permissions must be reviewed every six months 
  • Application and service account permissions must be reviewed periodically 

 

These new requirements are intended to transition affected organizations into a zero-trust security model.  Effective zero trust requires strong user authentication and the implementation of the principle of least privilege across the organization. 

Data Encryption 

Strong encryption is the most effective way of managing access to sensitive data, such as cardholder data.  The revised standard includes additional information on how organizations can modify controls to increase encryption requirements related to any cardholder data being stored by that entity.  If an organization has strong user authentication and properly manages secret keys, then encryption effectively restricts access to cardholder data. 

Attack Surface Management 

Cyber threat actors are increasingly exploiting newly-discovered vulnerabilities and employing automated attacks to identify and penetrate vulnerable systems.  The update to the PCI DSS includes multiple different requirements mandating that organizations put additional DevSecOps best practices into place, deploy a web application firewall (WAF) or similar solution, and manage non-critical vulnerabilities discovered as part of their vulnerability and risk management process. 

How MorganFranklin Can Help 

Compliance with PCI DSS is required for all organizations that have access to and process payment card data.  The twelve requirements outlined in PCI DSS describe security best practices that organizations must have in place to properly protect the cardholder data in their possession. 

While PCI DSS describes the security controls that organizations must have in place, the company is responsible for mapping these requirements to its unique environment and systems.  MorganFranklin experts have extensive experience in translating regulatory requirements to an organization’s real-world environment and implementing an effective and sustainable security program that meets both business and compliance needs.