By Tyler Reguly, senior manager, security R&D at cybersecurity software and services provider Fortra
The pandemic ushered in an unprecedented wave of online purchasing, as people around the world became far more comfortable with virtual shopping. In fact, the U.S. Census Bureau’s latest Annual Retail Trade Survey reports e-commerce expenditures rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.
Cybercriminals everywhere matched the uptick with clever new schemes to filch payment card data and defraud victims of billions of dollars. The Nilson Report estimated $28.6 billion in payment card-related losses occurred in 2020 (over one-third of them in the U.S.). They also predict this number will reach $408 billion in losses by 2030.
Time for change
With the boom in digital commerce paired with the increased popularity of contactless payment and cloud-stored accountholder data, the Payment Card Industry (PCI) Security Standards Council decided to re-evaluate the existing standard. First launched in 2004 and updated most recently in 2018, the PCI Data Security (PCI DSS) standard is continually updated to reflect the evolving challenges of the cyberthreat landscape.
The current version, PCI DSS v3.2.1, is clearly failing to protect cardholder account details effectively in today’s environment. The Council gathered input from 200+ organizations and announced the updated requirements in March 2022, which will become mandatory on March 31, 2024. Organizations also have until 2025 to implement a set of future-dated changes. The full timeline can be found on the PCI Security Council website.
The 12 controls
PCI DSS 4.0 spans 12 controls, several of which have received updates in the latest version. According to the PCI Council, the enhanced requirements promote security as a continuous process while adding flexibility for different methodologies.
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to cardholder data by business need-to-know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security within organizational policies and programs
Changes in PCI DSS 4.0
In looking at the new standard more closely, there are several requirements with notable changes. Below is a high-level overview of the differences between PCI v3.2.1 and PCI v4.0:
Requirement 2: Broader scope defining the need for security configuration management (SCM) on more types of assets.
Requirement 3: “Account Data” instead of “Cardholder Data” indicates a potential increase of scope for PCI assets.
Requirement 4: Less specificity on the type of encryption used means your organization is freer to follow industry best practices. An important takeaway is to internally define what those technical standards are and be able to justify why they are now “Strong Cryptography” so that you can still pass your PCI audit (essentially, just document what standards you are following and why).
Requirement 5: It is no longer sufficient to just have standard antivirus software. This requirement now specifically calls for anti-malware to be in place, necessitating a strong antivirus solution with malware protection or EDR/MDR/XDR solution.
Requirements 7–9: These requirements are primarily the same as before, but the big takeaway is that instead of just enforcing access controls to systems, it’s now requesting this to be done more granularly to specific components such as software, databases, etc.
Your five-step PCI DSS 4.0 transition checklist
As you get up to speed on how the standard itself has evolved, you’ll begin to understand the potential impact to your own processes and operations. This isn’t a one-and-done type of effort. It will require a phased approach over time. Successful organizations will view the new requirements as an opportunity to strengthen the security mindset across many aspects of their business.
To help you get started, you’ll want to build the following components into your initiative:
- Plan a phased implementation according to the PCI timeline
- Review potential changes to scope
- Conduct a people and process evaluation
- Strengthen security configuration management (SCM) processes
- Onboard a tool that automates continuous compliance
Go in-depth on how to approach each of these items in this executive guide, the Five-Step PCI DSS v4.0 Transition Checklist. This essential resource helps you understand the requirements of PCI DSS 4.0 and how to ensure your organization is addressing the changes needed to avoid audit fines and data breaches.
Above all, securing payment card information helps protect your customers’ sensitive information and your company’s reputation by preventing costly business disruption in a fast-changing cyberattack environment.
Tyler Reguly is senior manager, security R&D at cybersecurity software and services provider Fortra, responsible for overseeing TACTIC, a team of security researchers that provide the security expertise that powers the company’s Tripwire product line.
In addition to security research, Tyler has worked closely with Fanshawe College, from which he graduated with a diploma in Computer Systems Technology, developing five courses including subjects like Advanced Hacker Techniques & Tactics, Hacking and Exploits, Malware Research, Evolving Technologies and Threats, and Python Programming.
Tyler has contributed to various standards over the years including CVSSv3 and has provided technical editing to a number of published books. In addition, he is a co-founder of the IoT Hack Lab that has been offered at SecTor (Security Education Conference Toronto) since 2015.
Follow Tyler Reguly on Twitter.