Data Bank - Home
April 12, 2021

Get Prepared: If You Are a PCI (Credit Card) Customer, The Requirements are Getting Tougher

After much anticipation, PCI DSS 4.0 is finally expected to arrive in mid-2021. Do you know how the updates will affect your organization? If not, you’ve come to the right place. This quick guide will help you better navigate the PCI DSS waters and help keep your organization afloat. From Point-to-Point encryption to Software-based Pin entry, and everything in between, PCI DSS 4.0 has got it covered. Let’s Dive In.

Since PCI DSS version 3.2, the technology utilized by today’s organizations to accept and process credit card payments has seen substantial changes and evolved at a rapid pace. As expected, Cybercriminals have adjusted to meet those changes and upped the ante, introducing new threats to exploit vulnerabilities in the payment systems and processes. PCI DSS 4.0 seeks to ensure data security controls are effective through these changes. This starts with creating Strong Key Objectives that include:

• Continuing to provide the critical foundation for securing payment data

• Promoting security as an ongoing process

• Improving flexibility for organizations with a wide range of technologies

• Enhancing validation methods and procedures

In addition to updating the objectives, PCI DSS 4.0 takes on the risks associated with contactless payments, including those processed by merchants with commercial off-the-shelf mobile phones and tablets. Other trends PCI DSS covers include cloud adoption, new software development practices, and increased dependency of third parties in the payment process. It was necessary for PCI DSS to adapt to these trends to avoid being outdated.

Lastly, PCI DSS added several critical updates to which organizations should pay special attention. These additions provide better direction and more insight than the previous version on certain topics, such as authentication and cloud environments.

Critical Updates include:

Sampling – Sampling guidance will be included for assessors to validate controls are in place consistently across the entire population.

Cloud Environments – Requirements will be more accommodating for technologies, such as cloud hosting services.

Authentication – This provides more flexibility for authentication techniques and changes to MFA requirements

Risk Assessment – The requirement seeks to ensure this process isn’t used as a checkbox.

Security Awareness Training – Training on threats, such as phishing and social engineering, will be required for end-users.

Scoping – More testing and documentation will be required for confirmation of scope accuracy and completeness, and validation of processes.

With these impending changes, organizations should take the necessary steps to increase awareness and put a plan in motion for the new version of changes that will directly affect them. It is important to note that controls under the current version should be maintained, and organizations should steer clear of early drafts of PCI DSS 4.0 (Wait until the final version is released). Now that you have this information, go forth and conquer PCI DSS 4.0. Have any questions? Contact us!