PCI DSS v4.0 is now published, and brings significant changes that in all, move compliance from being an audit-driven, one-time event to a continuous process better suited for today’s payment security needs.
As a member of the PCI Security Standards Council, Flywire was one of the more than 200 organizations that contributed to the changes, a process that kicked off in 2017. It was truly collaborative, with an end product that reflects 6,000 pieces of feedback.
Organizations managing environments within PCI’s scope will have until March 31, 2024 before PCI DSS v3.2.1 is retired, with an additional year to implement certain parts of the new standard. But the audacious goals of PCI DSS v4.0 will require organizations to spend the entirety of that stretch preparing.
A recent webcast with Security Standards Council members Emma Sutcliffe, SVP and Standards Officer, Lauren Holloway, Director of Data Security Standards, John Bloomfield, Standards Development Manager, Data Security Standards and moderated by Marc Bayerkohler, Standards Trainer, does a fantastic job of digging into details. Let’s take a look at a few highlights.
Increased security measures
To better meet the security needs of the payments industry, there are changes around requirements for multi-factor authentication (MFA), password lengths and protection, and new requirements aimed at protecting against phishing and social engineering attacks.
- All access into the Card Data Environment (CDE) needs to have multi-factor authentication (MFA), augmenting the current MFA requirement for remote access.
- Required password lengths have been increased from seven to 12 characters.
- Organizations must have both technical mechanisms and training to prevent phishing attacks. This includes processes and automated mechanisms to detect and prevent attacks, as well as security training awareness that includes phishing and social engineering education.
- There are new requirements aimed at preventing skimming, according to the webcast. Merchants must manage all payment page scripts that are loaded and executed into the consumer’s browser, and must deploy a mechanism that detects changes or indicators of malicious activity on the pages.
Increased support for new methodologies, validation methods
There are a lot of changes here, but let’s look at one major one. To allow organizations to validate to PCI DSS using new and innovative technologies, there are now two methods to implement and validate to PCI DSS requirements.
- Defined approach. This is the existing methodology, in which the organization implements security controls to meet the requirements as stated. The assessor then follows the defined testing procedure to validate the requirements have been met.
- Customized Approach. Using this new methodology, the organization determines the controls being used to meet a stated objective. It performs risk analysis, addresses risk, defines and documents controls, and performs testing to verify the control is working. There are no defined testing procedures. Instead, the assessor is required to evaluate the organization’s documentation and develop testing procedures appropriate to the specific implementation, according to the webcast. The assessor performs those tests and validates the controls meet the intent of the security objective.
Moving compliance beyond an annual event
Finally, to promote security as a continuous process, there are now requirements for defined roles and responsibilities mapped to major PCI DSS requirements – to push a better understanding of how security fits into a day to day role. Reporting and compliance templates have been updated and include flexibility for the assessor to structure better according to the specific audience.
PCI DSS v4.0 is critical for enhancing payment security. But for organizations managing environments within its scope, the burden for achieving compliance with the standard will be significant. Flywire CTO David King recently discussed these upcoming changes in PCI compliance, along with broader cybersecurity best practices in payments with Flywire CISO Barbara Cousins. You can listen to the full discussion here.