Explore PCI DSS 4.0: The future of cardholder data security – Source: securityboulevard.com

Why was PCI DSS updated?

The Payment Card Industry Security Standards Council collected thousands of items of feedback from industry over a three-year period, to ensure that PCI DSS 4.0 accurately reflects the changing payment security landscape. This has been evolving rapidly over recent years, with growing adoption of biometric multi-factor authentication and smartphone-based digital wallets by consumers, as well as mobile payment devices and cloud and server-less computing by businesses. As new replaces old, the PCI DSS must adapt.

It must also reflect the growing menace of the cybercrime economy, which is now measured in the trillions of dollars annually. The ease with which threat actors can launch fairly sophisticated attacks, fueled by a thriving market for vulnerability exploits and stolen credentials, is a concern for any IT security or compliance manager. Service-based offerings readily available on underground sites have lowered the bar to entry for a whole new class of cyber-criminal, while cutting edge tactics, techniques, and procedures (TTPs) continue to filter down from those at the very top.

Ransomware groups not only pose a threat to the availability of payment systems, but also their confidentiality, as most attackers aim to steal data before they encrypt it. Other groups use tried-and-tested techniques like digital skimmers to steal card data as soon as it’s entered into payment pages. The supply chain remains a key area of concern and risk exposure.

Breaches impact some sectors more than others. In “accommodation and food services” (41%) and retail (37%), payment card information comprised a significant percentage of breached data last year, according to Verizon. However, any organization that accepts payments—or stores, transmits, or maintains any cardholder data for others—must take PCI DSS compliance seriously.

At a high level, the PCI DSS is designed to protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted. Billed as one of the biggest changes to the standard since 2004, version 4.0 contains a raft of new requirements to keep it current with the threat and payment security landscape.

To comply with PCI DSS 4.0, organizations that handle and store cardholder data must be able to check the following boxes:

• Perform internal vulnerability scans via authenticated scanning.
• Manage all applicable vulnerabilities (not just critical ones) found during these scans.
• Include awareness of relevant threats and vulnerabilities in end-user security training.
• Review and update the security awareness program at least once every 12 months.
• Implement processes/mechanisms for reporting and addressing security incidents and vulnerabilities.
• Deploy multi-factor authentication (MFA) for all access into the cardholder data environment (CDE).
• Encrypt sensitive authentication data (SAD).

Version 4.0 moves closer towards continuous exposure management

However, while meeting these requirements is critical to achieving compliance, the standard has moved away somewhat from a focus on precise technical specifications to a broader view of security.

There are four main security objectives:

• Ensuring the standard continues to meet the security needs of the payments industry.
• Adding flexibility and support for additional methodologies to achieve security.
• Promoting security as a continuous process.
• Enhancing validation methods and procedures.

Most interesting is the goal of driving security as a continuous process. It can be seen as a response to the negative outcomes associated with “check box” compliance—where organizations do the bare minimum to pass external audits, and no more. Such short-termism may put organizations at risk in the long-term because it means they overlook critical security issues. In short: compliance does not equal security, even if it does provide a good baseline.