PCI DSS v4.0 and Payment Security: What You Need to Know
PCI DSS v4.0 was officially released at the end of March 2022. As a result, organisations managing environments within its scope must prepare for significant changes to the PCI Data Security Standard (DSS) over the next 18 months. As a participating organisation, PCI Pal has worked closely with the PCI Standards Council throughout the consultation process. Here are some of the biggest changes that will impact your organisation with the introduction of PCI DSS v4.0.
PCI DSS v4.0 Transition Timeline
The PCI Security Standards Council released PCI DSS v4.0, together with a Summary of Changes from v3.2.1 to v4.0, at the end of March. While organisations will have 18 months to transition to the new standard, there are significant, necessary changes required to ensure compliance is maintained.
Why the Update to PCI DSS v4.0?
PCI DSS is designed to ensure that merchants who accept card payments that are operated by VISA, MasterCard, American Express, JCB International, Discover Financial Services, and UnionPay have adequately protected cardholder data. While the 12 core PCI DSS requirements remain fundamentally the same, PCI DSS v4.0 aims to achieve 3 main objectives:
1. Promote security as a continuous process
The biggest change is that security testing has to be a continuous process, rather than a snapshot of an organisation’s PCI DSS compliance taken once a year during the annual audit. Documentation tells assessors (QSAs) that they must select samples over a period of time to prove compliance.
2. Enhance validation methods and procedures
The new version of the PCI DSS contains revisions to the authentication requirements to reflect the latest industry best practices for password and multi-factor authentication (MFA). Passwords must be longer and consist of at least 12 characters containing a mixture of numbers and letters. Multi-factor authentication will become mandatory for all accounts that provide access to the card data environment.
3. Add flexibility and support of additional methodologies to achieve more stringent security requirements
A significant change in version 4.0 is the ability for organisations to design their own controls and implement them based on the intent of the requirements in lieu of compensating controls. This allows companies more flexibility to adopt new technologies or security solutions to achieve compliance. PCI DSS v4.0 supports the use of different technologies, such as cloud-based hosting services, by introducing more flexible wording around requirements and adding intent statements to address the evolving threats to the payment ecosystem.
Descope Your Infrastructure to Maintain PCI DSS Compliance with PCI Pal
Descoping your infrastructure from the requirements of PCI DSS 4.0 is one of the most effective ways to protect your customers’ data and one of the easiest areas to implement changes to meet updated requirements. In the context of the Payment Card Industry Data Security Standard, this translates to keeping customers’ card data out of company systems and minimising contact areas where data is processed or stored.
Organisations benefit from a reduction in scope by outsourcing PCI compliance to a third party like PCI Pal. Our cloud-based solutions support the most common payment methods across telephony and digital channels to mitigate the risk of payment data compromise while maintaining compliance.
It is well known that adding layers of security can increase friction and frustration for consumers which leads to the abandonment of transactions if there are too many ‘hurdles’. An organisation must be able to provide clear assurances to customers that the methods of capturing, processing and storing data are compliant with the latest industry standards and regulations.
PCI Pal has always believed that organisations can be secure and compliant to the highest level while simultaneously ensuring that CX processes and engagement with customers are prioritised. Through innovative, patented technology, payment security can be achieved in a way that allows consumers to interact and complete transactions, securely, in the way they wish.