Explore PCI DSS 4.0: The future of cardholder data security

a credit card and a padlock sitting on top of a blue background

For those in charge of industry standards, ensuring rules are up to date and fit for purpose is a constant battle against time. And when it comes to addressing the risk of payment card data theft, the stakes couldn’t be higher. That’s why the latest version of the Payment Card Industry Data Security Standard (PCI DSS) is a big deal. Going into effect March 31, 2024, PCI DSS 4.0 introduces a host of new requirements for organizations that process card data.

And more generally, it shifts the focus for compliance teams away from point-in-time security to continuous risk management. That is exactly what continuous controls monitoring (CCM) was built for. Before we dive into CCM as an enabler for compliance with PCI DSS 4.0, we must first understand the reasons behind this game-changing update as well as the new requirements for organizations that manage cardholder data.

Why was PCI DSS updated?

The Payment Card Industry Security Standards Council collected thousands of items of feedback from industry over a three-year period, to ensure that PCI DSS 4.0 accurately reflects the changing payment security landscape. This has been evolving rapidly over recent years, with growing adoption of biometric multi-factor authentication and smartphone-based digital wallets by consumers, as well as mobile payment devices and cloud and server-less computing by businesses. As new replaces old, the PCI DSS must adapt.

It must also reflect the growing menace of the cybercrime economy, which is now measured in the trillions of dollars annually. The ease with which threat actors can launch fairly sophisticated attacks, fueled by a thriving market for vulnerability exploits and stolen credentials, is a concern for any IT security or compliance manager. Service-based offerings readily available on underground sites have lowered the bar to entry for a whole new class of cyber-criminal, while cutting edge tactics, techniques, and procedures (TTPs) continue to filter down from those at the very top.

Ransomware groups not only pose a threat to the availability of payment systems, but also their confidentiality, as most attackers aim to steal data before they encrypt it. Other groups use tried-and-tested techniques like digital skimmers to steal card data as soon as it’s entered into payment pages. The supply chain remains a key area of concern and risk exposure.

Breaches impact some sectors more than others. In “accommodation and food services” (41%) and retail (37%), payment card information comprised a significant percentage of breached data last year, according to Verizon. However, any organization that accepts payments—or stores, transmits, or maintains any cardholder data for others—must take PCI DSS compliance seriously.

Coming March 2024: What’s new in PCI DSS 4.0?

At a high level, the PCI DSS is designed to protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted. Billed as one of the biggest changes to the standard since 2004, version 4.0 contains a raft of new requirements to keep it current with the threat and payment security landscape.

To comply with PCI DSS 4.0, organizations that handle and store cardholder data must be able to check the following boxes:

  • Perform internal vulnerability scans via authenticated scanning.
  • Manage all applicable vulnerabilities (not just critical ones) found during these scans.
  • Include awareness of relevant threats and vulnerabilities in end-user security training.
  • Review and update the security awareness program at least once every 12 months.
  • Implement processes/mechanisms for reporting and addressing security incidents and vulnerabilities.
  • Deploy multi-factor authentication (MFA) for all access into the cardholder data environment (CDE).
  • Encrypt sensitive authentication data (SAD).
PCI DSS v4.0 Implementation Timeline

Source: PCI Security Standards Council, Countdown to PCI DSS v4.0

Version 4.0 moves closer towards continuous exposure management

However, while meeting these requirements is critical to achieving compliance, the standard has moved away somewhat from a focus on precise technical specifications to a broader view of security.

There are four main security objectives:

  • Ensuring the standard continues to meet the security needs of the payments industry.
  • Adding flexibility and support for additional methodologies to achieve security.
  • Promoting security as a continuous process.
  • Enhancing validation methods and procedures.

Most interesting is the goal of driving security as a continuous process. It can be seen as a response to the negative outcomes associated with “check box” compliance—where organizations do the bare minimum to pass external audits, and no more. Such short-termism may put organizations at risk in the long-term because it means they overlook critical security issues. In short: compliance does not equal security, even if it does provide a good baseline.

PCI DSS 4.0 is about persuading organizations to better understand their security posture, improve their security processes and controls, and then identify areas for improvement—on a continuous basis.

Stay tuned for part II of this blog post, where we’ll explore how continuous controls monitoring (CCM) can help support this mandate for continuous improvement.

In the meantime, explore how Noetic is enabling organizations to not only meet, but exceed these standards: How to Implement Continuous Threat Exposure Management with Noetic.