In 2022, the Consumer Sentinel Network, a government investigative cyber tool and database, recorded over 5.1 million fraud and identity theft reports and $8.8 billion lost in such incidents. Credit cards were the most frequently identified payment method in fraud reports.
Malicious actors often target credit card transactions in an attempt to access private cardholder data, including identity information and financial details. The Payment Card Industry Data Security Standard, or PCI DSS, is a compliance framework that safeguards consumers’ payment card data.
The most recent PCI DSS update was released in 2022 and contains new guidelines for the secure handling of credit card data. If your organization handles payment information in any way, following these new standards is essential for protecting consumer data in today’s ever-evolving threat landscape.
Background and Evolution of PCI DSS
Before the formation of the Payment Card Industry Security Standards Council (PCI SSC), each major credit card brand had its own security program. The framework was implemented worldwide after Visa, Mastercard, American Express, Discover, and JCB came together to standardize protective measures for credit card users. The first version, PCI DSS v1.0, was released in 2004.
Since then, the council has released several updates in response to new technologies and emerging threats. While PCI DSS is not a law enforced by the government, it is a mandatory policy for any company handling credit card info, and credit card companies enforce it.
Before the most recent update, PCI DSS v4.0, the standard hadn’t been updated since 2018. The latest version brings this guidance up-to-date to account for new technology and explains innovative ways to combat new threats.
Pivotal Changes in PCI DSS v4.0
PCI DSS v4.0 contains several new objectives and requirements for fortifying protection against data breaches. Some of the major updates include:
- Updated “firewall” terminology
- Expansion of multi-factor authentication (MFA) requirements
- Updated password requirements
- New eCommerce and phishing standards
- Enhanced flexibility for organizations to demonstrate compliance
- Emphasis on security as a continuous process
- Guidance to help organizations implement changes
- Detailed verification and reporting options
The PCI SSC provides a resource hub with all of the information companies need to begin adapting their systems and processes to comply with PCI DSS v4.0. Complying with PCI DSS updates is not just important for protecting customers’ data — there are also potential fines and penalties for companies who aren’t in compliance.
How PCI DSS v4.0 Addresses the Evolving Nature of Payment Security
The nature of payment security is always changing because new payment technology is constantly emerging. New technologies introduce new potential vulnerabilities for attackers to exploit. Even with evolving security efforts, major data breaches still happen.
In 2022, a dark web marketplace released information about more than 1.2 million stolen credit cards. Experts report the data released in this leak may have been stolen via malware or by hacking e-commerce sites. PCI DSS aims to prevent leaks by anticipating potential threats and equipping organizations with the tools they need to safeguard users’ private data.
For example, the latest guidance regarding multi-factor authentication will require MFA implementation for all users attempting to access the cardholder data environment (CDE). This requirement adds another layer of protection between would-be attackers and consumers’ financial information.
Adapting to PCI DSS v4.0: Steps for Businesses
According to the terms of PCI DSS v4.0, companies need to have new standards fully implemented by March 31, 2024. While the update impacts all organizations that handle credit card information, different types and sizes of companies will face specific needs and challenges.
To assess your current systems and implement the new guidelines, follow these steps:
- Conduct a gap analysis to identify areas where your current practices fall short of the new PCI DSS guidelines.
- Update policies and documentation to align with the new standards.
- Provide training to ensure employees are aware of updated requirements and any changes to policies and workflows.
- Implement new technical controls for existing systems and platforms. This strategy could involve changes to access controls like passwords and MFA.
- Work with a Qualified Security Assessor (QSA) to perform a formal security assessment of your organization’s compliance with new requirements.
The Future of Payment Security
Adapting to a new compliance framework requires a proactive approach and ongoing commitment to compliance. As technology fuels exciting new payment methods, threats to payment security will also increase. The PCI DSS compliance framework provides practical ways to safeguard users’ private payment data against data breaches and cyber-attacks.
Talk to PCI 4.0 experts about how to get compliant.