PCI DSS v4.0 announced. What you need to know about it
The PCI Security Standards Council (PCI SSC) has announced the release of the new fourth (v4.0) version of the PCI DSS standard. Let’s see how it moves the industry forward, how it helps the business owners and secures their business.
What is PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an international standard that provides a baseline for the technical and operational requirements for protecting payment data. PCI DSS v4.0 is the next evolution of the standard (note. the previous version is v3.2.1)
The main goals of PCI DSS v4.0 and what's new
They included numerous changes in the new version of the standard, but there are four main ones, which we will discuss briefly.
- Continue to maintain a high level of security in the payment industry
- Promote security as an ongoing process #DevSecOps #DevOps
- Add flexibility for different methodologies
- Improve and extend validation methods
For a deeper understanding, we recommend you to completely read PCI DSS v4.0 itself and the differences between PCI DSS v3.2.1 and v4.0, which we also attached at the end of the article.
Continue to maintain a high level of security in the payment industry
Methods and practices for protecting against various attacks should evolve as new threats appear along with them.
- Expanded requirements for multi-factor authentication (MFA).
- Updated password requirements.
- The requirements for combating phishing mailings and other persistent threats were also highlighted separately.
Promoting security as an ongoing process #DevSecOps #DevOps
Criminals never miss a moment to attack and steal personal and bank card data. We need to constantly keep our finger on the pulse. Continuous security or "security as a process" includes timely software updates and automated tests at every stage of both development and operation of software. As practice shows, it is now becoming crucial for protecting payment data.
- Added guidance to help people better understand how to implement and maintain security.
- A new reporting option has been introduced to highlight areas for improvement and provide more transparency for reporting.
- Clear distribution of roles and responsibilities for each requirement.
Increase flexibility for organizations using different methods to achieve security goals
A high level of flexibility and adaptability allows for more options to meet goals, requirements, and to support innovation in payment systems and technology.
- Special permission for group and shared accounts with clear requirements.
- Pinpoint and accurate risk analysis allows organizations to set the frequency of certain actions and activities.
- Improved customization and new methods to implement and validate PCI DSS requirements.
Improving methods and procedures for inspections and reporting
Clear audit and reporting parameters support and enhance the transparency and detail of reports.
Increasing the level of transparency and understanding of the information provided in the PCI DSS (Report on Compliance) or Self-Assessment Questionnaire and the information summarized in the Attestation of Compliance. Previously, it was somewhat difficult for unprepared users to understand the presentation of information, now the presentation is simplified, but still requires certain knowledge :)
Changes between versions 3.2.1 and 4.0 and the new PCI DSS v4.0 itself
Original source PRESS RELEASE: Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0