Updating The Standard
The Payment Card Industry Data Security Standard has been designed to protect customers against fraud when using their credit or debit cards. If your organisation takes payment by card, or provides services to others that do, it may apply to you.
The standard has been around for around 18 years, and in that time, the threat from criminals has increased both in volume and in complexity.
Technology has also continued changing at pace, so updates were needed to make the standard more appropriate for the times.
What Has Changed
PCI DSS comprises of security controls contained in Twelve Requirements, each covering a different area, from network security, to physical security, and Information Security Policies.
These twelve areas of requirement are unchanged from version 3.2.1, the previous version, to version 4.0. The detail within them has been refined a little, and renumbered in places.
The refinements have been included for clarity – for instance, PCI DSS 4.0 no longer defines Firewall Rules, but instead has Network Security Controls, to reflect the increasing use of Cloud-Hosted systems.
What Is New
In addition to the refined security controls in each Requirement, there are NEW SECURITY CONTROLS, designed to protect against emerging threats. These new controls include:
- Changes to encryption rules for stored payment card data.
- Protection from Phishing attacks.
- Security of code repositories and of imported code libraries and scripts.
- Increased password strength.
- Detection and correction of failure of security systems.
- Internal network security intrusion prevention.
- Website code change detection.
When Must I Comply with PCI DSS 4.0
You MUST comply with PCI DSS 4.0 by 1 April 2024, but any New Requirements have a grace period. These must be implemented by 1 April 2025. Some of these new requirements may not be applicable if you comply to a reduced-scope Self-Assessment-Questionnaire (SAQ).
How to Prepare for v 4.0?
Speak to your QSA. They will be able to tell you what the changes mean for your environment, what you can be doing now to get prepared and help you understand your timeline.
If you have any questions in the meantime, please do not hesitate to get in touch and we will arrange a call with one of our experts.