Preparing for the Impact of PCI DSS 4.0

Image

Stealing credit card data is a perennial favorite of cybercriminals everywhere, whose aggressive tactics to score sensitive accountholder details result in breach after breach for organizations small and large. In its most recent research on payment card fraud, The Nilson Report found $28.6 billion in losses for 2020 (nearly 36% in the U.S. alone), with $408 billion in losses projected by 2030. Likewise, the U.S. Census Bureau’s latest Annual Retail Trade Survey discovered that e-commerce sales rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.  

Some of this is explained by the digital transformation that occurred during the COVID-19 pandemic, which led to a dramatic rise in online shopping that accelerated the pace of digital exchange by several years. Organizations began storing increasing amounts of cardholder data both on-premises and in cloud repositories, the latter being a favorite target for hackers. Contactless payment also increased in popularity. 

PCI DSS 4.0 Addresses Changes to Credit Card Use 

In light of the increases in e-commerce and the associated fraud, the Payment Card Industry (PCI) Security Standards Council determined 2018’s PCI Data Security Standard (DSS) v3.2.1 was no longer able to protect cardholder account details effectively. The council, founded in 2006, includes American Express, Discover, JCB International, MasterCard, and Visa. These members oversee the standard and pushed for enhanced controls such as stronger authentication and data encryption. 

The council announced PCI DSS 4.0 in March 2022, putting all organizations that process or store cardholder data on alert. These changes are essential if payment cards are to remain viable and effective in the modern age. They do, however, require businesses to evaluate and enhance their security postures to meet the new requirements.  

Getting Ready for PCI DSS 4.0 

To help you get up to speed on PCI DSS 4.0 and how you can prepare your organization, we’ll review the 12 provisions of the new standard and how Fortra’s solutions support a layered approach to security. Protecting sensitive data and essential infrastructure with proven solutions will enable you reduce the incidence and impact of breaches and the associated fines, loss of reputation, business disruption, and customer distrust. 

Timeline of Upcoming Changes 

As with meeting any industry compliance requirement, addressing the implications of PCI DSS 4.0 will take proper assessment and planning. The current version, PCI DSS v3.2.1, will remain in place until it’s retired and replaced by v.4.0 on March 31, 2024, to give you ample time to understand the changes and plan for necessary revisions. There are also several suggested updates that won’t go into effect until 2025. See the full implementation timeline. 

The 12 Controls of PCI DSS 4.0 

There are 12 controls within PCI DSS 4.0, which are largely similar to the current version. However, the new standard focuses more on operational compliance and how security controls should be implemented. Using a layered security approach is highly effective for meeting these requirements in a way that bolsters security without causing unnecessary impact to everyday productivity. 

1. Install and maintain network security controls 
2. Apply secure configurations to all system components 
3. Protect stored account data 
4. Protect cardholder data with strong cryptography during transmission over open, public networks 
5. Protect all systems and networks from malicious software 
6. Develop and maintain secure systems and software 
7. Restrict access to cardholder data by business need-to-know 
8. Identify users and authenticate access to system components 
9. Restrict physical access to cardholder data 
10. Log and monitor all access to system components and cardholder data 
11. Test security of systems and networks regularly 
12. Support information security within organizational policies and programs 

Achieve Compliance Across Your Organization With Fortra’s Solutions 

Secure file transfers

Information shared among a company’s global employees, customers, and partners is prone to misuse if it lands in the wrong hands. When files contain credit card account details including numbers, pins, and other sensitive data, Fortra’s GoAnywhere Managed File Transfer is key to safeguarding the exchange. This powerful solution centralizes the management of file transfers, uses role-based permissions, and encrypts data in motion and at rest to achieve compliance. Learn more >  

File integrity monitoring (FIM) and security configuration management (SCM)

Requirements 1 – 4 fall into two broad categories: building and maintaining a secure network and systems, and protecting account data. Fortra’s Tripwire enables you to address these requirements by detecting changes to files—including misconfigurations—in real time, including who made which changes, and whether the alterations will result in noncompliance. You can also monitor the configurations of networks, servers, firewalls, and related components in a similar manner. Learn more or download the essential transition checklist. 

Email, social media, and web-based contact/chat platforms

When payment card details are shared across these common platforms, data is put at risk. Fortra’s Clearswift Secure Email Gateway automates the scanning and redacting of sensitive details before they are transmitted to your organization. This includes data in hidden fields as well as scanned images and photographs. Information that isn’t subject to PCI DSS 4.0 compliance is unaffected to keep transactions and business moving. Learn more >  

Pen testing for security systems and processes

Requirement 11 is all about testing the security infrastructure in place, with particular emphasis on rooting out potential vulnerability and completing the necessary remediation. Fortra’s Core Impact provides penetration testing, including Rapid Penetration Test (RPT) wizards, to quickly assess exploitable vulnerabilities. This enables security admins to secure points of weakness and avoid attack. Learn more >