PCI DSS v 4.0 - Overview & Changes
M. Yousuf Faisal
I help cyber & business leaders with Securing Things (IT, OT/ICS, IIOT, digital transformation/4.0 journey, & AI) & share everything I learn at securingthings.blog | securingthings.academy
Introduction
Credit and debit card payments continue to be the standard for payments around the world. The growing popularity of card payments offers a tempting and lucrative opportunity for hackers. As the use of card payments industry have increased significantly in last decade or so, the credit card fraud and theft have increased too. ?
Payment Card Industry Data Security Standard (PCI DSS) is a global security standard with requirements for any organization that processes, stores, or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect and prevent customers’ payment data from being compromised/breached and ensures the security of credit card transactions in the payments industry.
PCI DSS provides a baseline of technical and operational requirements to ensure protection of Card Holder Data (CHD) i.e., sensitive credit card information. The latest standard- PCI DSS v4.0-just published on 31 March 2022, is now available.
Entire ecosystem of card payments – from merchants to banks to customers – gets impacted when card breaches occur, as hackers steal card holder information, typically for financial gains. Any such breach can mean a potential loss of revenue, customers, brand reputation, and trust. PCI DSS was established to ensure that all companies securely process their payment card transactions and failing to comply with PCI DSS will impact the organization’s customers and business.
PCI DSS v4.0 is an outcome based on collective input from global community, based on:
Source - PCI DSS At a Glance
Source - PCI DSS At a Glance
PCI DSS v4.0 vs 3.2.1 – Implications & Transition Period
PCI DSS Transition Timelines – Source PCI DSS website
PCI DSS Implementation Timelines – Source PCI DSS website
PCI DSS v4.0 – Documents Published
The following documents can be found in the PCI SSC Document Library :
PCI DSS v4.0 vs v3.2.1 – Changes
“Summary of Changes from PCI DSS v3.2.1 to v4.0.pdf” document highlights all the key changes between PCI DSS v 3.2.1 vs PCI DSS v 4.0.
There are around a total of 64 new requirements in PCI DSS v 4.0 whereby, of these, 13 are immediately effective for all new v 4.0 based assessments and 51 are best practices until 31st March 2025 after which they become effective.
Out of these 64 new requirements; 53 are applicable for all entities that needs to comply with PCI DSS and 11 are applicable for services providers.
Change Types:
There are 3 change types for PCI DSS standards revision – they are outlined per PCI SSC definitions below:
Below table summarizes these change types per each of the 12 PCI DSS requirements (the reqs names remains unchanged in PCI DSS v4.0):
Key Changes – Examples
Continue to meet the security needs of the payments industry.
领英推荐
?Promote security as a continuous process.
Increase flexibility for organizations using different methods to achieve security objectives.
Enhance validation methods and procedures.
PCI DSS v4.0 – Compliance Levels (remains unchanged)
Compliance levels remains unchanged - there are 4-levels for merchants and 2-levels for service providers, determined by the annual number of transactions a merchant or service provider processes over one year.
Implications of Non-Compliance with PCI DSS
Depending on the PCI DSS level the organization falls under, failure to comply can lead to some strict consequences. For example, Visa has the right to change your level to a stricter level, regardless of the number of credit card transactions processed each year. For example, if your organization is currently a level 4, you may be bumped to a level 1 for failure to meet the level 4 compliance requirements.
Recommendations
If your organization is embarking on this journey for the 1st time, you should be a bit thorough in your assessment process vs organizations that already compliant with PCI DSS v3.2.1 and have been running PCI program. Whichever option you choose; the best approach is the one that combines both manual means (i.e., documentation reviews + interviews + payment process lifecycle walkthroughs) and technical discovery (i.e., logically collect data utilizing different technical tools/techniques to identify CHD) to get a complete validated state of your CHD environment and connected infrastructure. ?
Engage an experienced and qualified internal assessor or an independent consultant/third-party to perform a PCI DSS v4.0 readiness assessment or gap analysis. It’s important to identify assets, vulnerabilities, and risks to card holder data (CHD) so to apply identification, protection, prevention, detection, and response controls. Ensure enough planning or preparation is done, and the PCI DSS initiative is socialized with relevant stakeholders to get appropriate time, budget, and resource commitments.
Key Takeaways
It all starts with an awareness on the changes to PCI DSS v4.0 standard, the new requirements and how it impacts your existing PCI DSS compliance status in the foreseeable future and what’s the potential impact to your organization in terms of costs, time and effort, and resource requirements.
Based on your budget and resources, the aim is to constantly be maturing on Securing your CHD rather than focusing on getting the compliance point in time – remember PCI DSS compliance is required throughout the year.
PCI SSC, throughout the year, will provide additional information to help the community understand the changes made to the standard. Subscribe to the PCI Perspectives blog for additional resources including podcasts, videos, and blog posts designed to help organizations navigate the transition to PCI DSS v4.0.
NEXT STEPS:
Understanding your current PCI DSS compliance status and program maturity starts with: PCI DSS Readiness Assessment & Gap analysis.
See Additional Resources by PCI SSC:
References
If you have concerns or needs around your PCI DSS standards compliance effort, feel free to reach out to me.
Please register your interest by dropping your name and email if you want to receive a deep dive training/workshop on this topic (Coming soon)
For securing Card holder data (CHD) using PCI DSS v4.0 standard - it’s a great day to start SecuringThings!
About the Author:
M. Yousuf Faisal (EMBA, GICSP, ISO 27001 LA, CISSP, CISM, CISA) has two+ decades of technology & IT/OT Cyber security-related industry experience, helping organizations worldwide (specially across APAC) securing their digital transformation journey with secure-by-design principles. He has served both as an end user and mostly as an independent consultant/advisor across multiple industrial sectors and enterprise organizations. He was an active PCI Qualified Security Assessor (QSA) for almost a decade. Currently, he is doing business development, presales/solution, and consulting delivery for emerging technologies in IT & OT, GRC (PCI DSS, ISO 27001, NIST-CSF, CSC, IEC 62443), security technologies and other Cyber security services across APAC region. He holds a B.E. Electrical and an Executive MBA degree.
I help cyber & business leaders with Securing Things (IT, OT/ICS, IIOT, digital transformation/4.0 journey, & AI) & share everything I learn at securingthings.blog | securingthings.academy
11 个月Re-published at https://securingthings.blog/p/pci-dss-v-40-overview-changes supported video content to be released in 2024 on the same path above. Watch the space
Senior Solutions Architect / Advisor @ Hartog Solutions
2 年Great piece of work again M. Yousuf Faisal! And indeed, well said "the aim is to constantly be maturing on Securing your CHD rather than focusing on getting the compliance point in time". Still there are companies seeing this as a project instead of maturing their security on a continues basis. Compliance doesn't mean secure, secure might mean compliant ??
Very interested article!