PCI DSS v.4 makes payment security flexible and responsive to threats

The PCI Security Standards Council (PCI SSC) has published version 4.0 of the PCI Data Security Standard (PCI DSS), which will come into force in March 2024. It’s an important update to a set of principles designed to protect global payment systems, and much of what it recommends should be emulated by any security-conscious company.

The Payment Card Industry Data Security Standard (PCI DSS) first appeared in 2004 from a group including Visa, Mastercard, American Express, JCB International and Discover Financial Services.

PCI DSS is a vital standard for all merchants and service providers processing, transmitting or storing cardholder data. Organizations must comply or risk the loss of access to payment services. Updated for the first time since 2018, the standard setters sought to include enough flexibility to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information.

As it stood, the standard set a host of requirements to help protect payment data. It reads like a to-do list of security steps any company should take – use firewalls, encrypt data transmissions, use network security monitoring and more. The latest update, developed over three years with contributions from over 200 organizations, reflects evolving security principles and also aims to be flexible, so it can be customized to meet each company’s unique needs and address evolving technology and security changes. There are 64 new controls included within PCI DSS v.4, including 51 requirements that apply to everyone, 13 of which are specifically for service providers.

The decision to move the standard forward reflects significant changes that have taken place since the last major update in 2018. For example, online sales have overtaken retail sales, and remote and hybrid-working practices have become mainstream during the pandemic. Contact centers are particularly important, where remote employees may work outside the trusted perimeter. This makes remote, zero-trust authentication incredibly important, particularly as cloud services proliferate.

Three significant changes in PCI DSS v.4 include customized implementation of the standard for some merchants, mandatory multifactor authentication (including a requirement to use passwords of at least 12 characters long), and a movement toward continuous security testing. It implements use of the 3DS Core Security Standard during transaction authorization, and encryption of cardholder data now extends to trusted networks, reflecting the risk that known networks may be compromised.

To improve resilience and identify fresh threats, PCI DSS v.4 requires companies to maintain continuous compliance by 2025 rather than treating compliance as an annual audit task. Once again, this is a good approach that any company should emulate, even if they have no intention of supporting the standard. “A company might make large technology investments to become compliant, but because of the ever-changing security threats and upgrades to the standards, it’s hard to keep up. It requires constant upkeep of systems, personnel, and processes,” said Nirmal Kumar, CTO of fintech Aliasware.

To manage cloud deployment, the PCI SSC also has rigorous new requirements when using cloud-based hosting, including the demand that multitenant service providers must take steps to prevent “unauthorized access from one customer’s environment to another.” This kind of statement, along with the standard’s alignment with NIST guidance on digital ID, is an important step to more secure services.

But perhaps the most interesting addition within the updated standard is the new requirement to implement multifactor authentication for all accounts that can access cardholder data. This change means PCI DSS v.4 supports a zero-trust approach to security, a model within which no users or devices are trusted. This is very much of its time. A recent A10 Networks survey found that a third of organizations have already adopted a zero-trust security model. At least one recent survey anticipates the global zero-trust security market will grow from $19.6 billion in 2020 to $51.6 billion by 2026. Zero trust is becoming mandatory in many entities – the U.S. federal government has instructed its agencies to adopt zero-trust architecture by the end of 2024, for example.

Flexibility is baked inside PCI DSS 4.0, which lets different organizations customize their approach to achieving their security objectives. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations,” said Emma Sutcliffe, SVP Standards Officer, PCI SSC. The idea is that the ability to customize the use of the standard creates space for emerging technologies to make use of its support.

John Bambenek, Principal Threat Hunter at Netenrich, notes how PCI DSS is responding to technology change: “Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis,” he told CSO.

They say compliance is a journey. Orange has already helped RS Group become compliant with the existing PCI DSS standard when it moved its contact center activities to the cloud. The main change to the new standard is the increased flexibility it provides to organizations depending on their circumstances. A “zero-trust” approach will be increasingly important. Under this principle, organizations consider themselves at risk from attackers within their internal and external networks and implement stringent controls for complete security. Organizations must develop, implement and maintain a continuous compliance program that includes more frequent reviews and scans across the entire network.

Click here for more information about a zero-trust approach to security.

Jon Evans

Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.