Changes to the PCI Data Security Standard (DSS) coming early next year are significant, and do something very important in that they move compliance from an audit-driven, one-time event, to a continuous improvement process aimed at best securing payments.
As a result, organizations managing environments within its scope should prepare for some very heavy lifting with PCI DSS 4.0. While organizations will have 18 months to transition to the new standard, it will change significantly since its last update in 2016. As a member of the PCI Security Standards Council, Flywire has been helping to review and provide feedback on the changes, targeted for Q1 of 2022. Here are four areas that will see major impacts.
Stronger focus on protecting against malware. In ensuring that the standard meets the security needs and challenges of the payment industry, it will reach further beyond just the card data environment to how you’re protecting the organization as a whole. The new standard will increase the number of touchpoints and test points, and the amount of data that must be proven to pass, significantly, in an attempt to push organizations to view PCI DSS as a continuous process, not a once a year, scrambling-to-pass-an- audit type of event. The standard adds flexibility and support for additional methodologies to be able to achieve this security. More data will be required for validation requirements, and to that end, there are big changes coming in validation methods and procedures for you to pass in terms of the amount of data that you have to prove how you’re doing certain things.
Much more stringent security requirements. There will be restructuring of requirements for increased security and procedure and measures, so your security profile will have to extend beyond where it is today. It’s a good idea to plan for this in IT budgets, as there will be larger capital needs in terms of security requirements than there are currently.
Multi-factor authentication. The standard is moving to adopt NIST password guidance which is a lot stronger, and forces multi-factor authentication for every touchpoint. There are also stronger transaction authorizations that we’re starting to push, such as 3D Secure or 3DS protocols, which provide an additional layer of security involving customer authentication.
Encryption. The updates increase encryption standards and how to encrypt for preventing theft of data and preventing malware. The rigors around monitoring, logging and detecting are picking up as well, as are the requirements for frequency of testing all these controls.
There are other industry changes afoot as well that will have downstream impacts on PCI compliance, a major one being changes to BIN data. The card industry is moving from 6 digit BINs to 8 digit BINS, which radically impacts two core requirements in the PCI DSS – 3.3, which involves the masking of card data and display, and 3.4, which is storage of PAN truncation.
I recently discussed these upcoming changes in PCI compliance, along with broader cybersecurity best practices in payments with my colleague Flywire CISO Barbara Cousins. You can listen to the full discussion here.