Blog
PCI Compliance Updates Coming in April 2024
Chris Riani | CISSP | CASP
Several changes are coming to the Payment Card Industry Data Security Standard (PCI DSS), starting April 1, 2024, when PCI DDS 4.0 becomes the only official PCI standard at the conclusion of the 3.0 transition period. The new changes and requirements introduce stringent cybersecurity compliance requirements for organizations that process credit cards, so we’ve developed a brief overview of what these changes entail and how they will impact your organization so you can stay aware of what changes your organization will need to implement, as well as the best options for doing so.
Who This Will Impact
Before we dive into the changes coming in PCI DSS 4.0, it’s important to know which Self-Assessment Questionnaire (SAQ) you need to complete. This is determined by several factors, including the volume of transactions, the way in which your organization accepts payments (face-to-face, point of sale, etc.) as well as your method for storing data. To help simplify what SAQ your organization must complete, please refer to the table below.
Key Changes to Note
Website Payment Portal Updates
Websites that redirect users to a payment portal or utilize embedded payment portals (such as embedded iframes) will now fall under the quarterly ASV (Approved Scanning Vendor) scope for external scanning and remediation. This is a non-intrusive website scan which quickly identifies vulnerabilities and potential risks. This will further ensure the entire transaction process, from start to finish, is safeguarded.
Heightened Authentication Protocols
Incorporating enhanced measures, 4.0 has updated criteria for MFA and more robust password policies. All accounts with access to cardholder data must implement MFA and passwords should be changed annually or in response to suspicious activity, ensuring they are strong, unique, and meet defined complexity standards.
24/7 Response Capability
Certain SAQs will now require organizations to maintain a 24/7 response capability. This requirement recognizes the necessity for a prompt and effective response to security incidents, ensuring that any potential threats or breaches are addressed swiftly to minimize impact.
Collaboration With Auditors
Close collaboration between organizations and auditors is necessary for compliance with PCI DSS 4.0. This requires involving auditors in project design and implementation, as well as strategizing for adherence to the updated version. Consistent communication and coordination with auditors are vital elements throughout the entire process.
What Else is Required?
• Install and Maintain Network Security Controls
• Apply Secure Configurations to All System Components
• Protect Stored Account Data
• Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
• Protect All Systems and Networks from Malicious Software
• Develop and Maintain Secure Systems and Software
• Restrict Access to System Components and Cardholder Data by Business Need to Know
• Restrict Physical Access to Cardholder Data
• Log and Monitor All Access to System Components and Cardholder Data
• Support Information Security with Organizational Policies and Programs
Additional Changes for 2025
In addition to these immediate changes, the upcoming release of PCI DSS version 4.0 introduces a host of future-dated requirements that will need to be implemented by April 1, 2025 which as of now, are just highly recommended but should be considered as you formulate your compliance strategy:
- Enhanced Key Management: Added security measures are required to safeguard the integrity of security keys and certificates. Expired certificates are strictly prohibited for encryption and authentication purposes.
- Continuous System Assessment: A comprehensive evaluation of all systems is mandatory to assess vulnerability to malware, aligning with the company’s risk profiles.
- Anti-Phishing Safeguards: Compliant systems must integrate processes and automated methods to mitigate or eliminate phishing attacks, employing techniques like DMARC, DKIM, and SPF.
- Reinforced Web Script and Application Security: Firewalls and automated technical controls are required to protect both public-facing and internal web applications, with a complete phase-out of manual assessments.
- Annual Encryption Algorithm Review: Organizations must review encryption algorithms annually to ensure they align with business operations, staying informed about modern encryption trends to remain up to date.
What to Expect
As these changes roll out, businesses can anticipate an increase in inquiries related to PCI compliance. We recommend that you engage your vendors to keep informed to these updates as they evolve and be prepared to address any queries regarding the implications of these changes. Staying compliant with PCI DSS is a continuous journey, and the upcoming changes highlight the need for organizations to be proactive in their approach to payment security. By understanding and implementing these requirements, businesses can not only ensure compliance but also enhance the overall security of their payment systems. Even if you are not directly impacted by these changes, it is always a good idea to implement at least 1-2 of the following from a cybersecurity best practices standpoint:
- Multi-factor Authentication (MFA): Multifactor Authentication is a security feature that requires you to provide two or more forms of identification before accessing your account.
- Network Security Monitoring & Alerting (SIEM): A SIEM is a software solution that collects and analyzes security data from multiple sources in real-time to detect and respond to security threats. It aggregates and correlates logs and alerts generated from different sources, such as network devices, servers, and applications, and uses machine learning algorithms to identify patterns of suspicious behavior or anomalies.
- End User Security Awareness Training & Simulation Phishing Attacks: Proper training is vital to a company in ensuring that employees can adapt, understand, and become efficient with implemented changes. End-user security training allows for education on what issues may arise prior to a security issue that can be brought to the attention of information technology (IT) personnel prior to the asset becoming unusable.
As always, our team is here to help guide you through the process to ensure your organization is prepared for these changes and to learn more about upcoming changes to PCI. If you have any questions or would like to learn more about how we can help, please don’t hesitate to contact us at any time.
Inquiries & Press Contact:
Jeremy Louise, VP of Sales & Business Development
jlouise@tsisupport.com
(508) 772-6122
Categories
- Backup & Disaster Recovery
- Business Operations
- Case Studies
- Cloud Services
- Cyber Security
- Employee Spotlight
- Finance & Budgeting
- Glossary Term
- Governance & IT Compliance
- Managed Services
- Mobile Device Management
- Network Infrastructure
- NIST 800-171 & CMMC 2.0
- PCI
- Podcast
- Project Management
- TSI
- Uncategorized
- vCIO
Cyber Security Policy Starter Kit:
10 Critical Policies That Every Company Should Have in Place