PCI Compliance Updates Coming in April 2024
Chris Riani| CISSP | CASP
Several changes are coming to the Payment Card Industry Data Security Standard (PCI DSS), starting April 1, 2024. These changes introduce new compliance requirements that demand a proactive approach from organizations. Check out some of the featured changes, and see how they may impact you and your company.
Websites with Payment Portals
Websites that redirect users to a payment portal or utilize embedded payment portals (such as iframes) will now fall under the quarterly ASV (Approved Scanning Vendor) scope for external scanning and remediation. This will further ensure the entire transaction process, from initiation to completion, is safeguarded against potential vulnerabilities.
24/7 Response Capability
Certain Self-Assessment Questionnaires (SAQs) will now require organizations to maintain a 24/7 response capability. This requirement recognizes the necessity for a prompt and effective response to security incidents, ensuring that any potential threats or breaches are addressed swiftly to minimize impact.
In addition to these immediate changes, the upcoming release of PCI DSS version 4.0 introduces a host of future-dated requirements that will likely be introduced in smaller updates, like 4.01. While these are not yet in place, they are still important to note and keep track of.
Mandatory Multi-Factor Authentication (MFA)
As cyber threats continue to evolve, a future version of PCI DSS will mandate the implementation of Multi-Factor Authentication (MFA) as a standard security practice. This additional layer of protection safeguards against unauthorized access.
Internal scanning ensures that potential vulnerabilities within an organization’s network are identified and addressed promptly, strengthening overall security posture.
Required Penetration Testing
Organizations completing Self-Assessment Questionnaires may find that many now require penetration testing. This emphasizes the importance of actively testing and assessing the security measures in place to identify and remediate potential weaknesses.
As these changes roll out, businesses can anticipate an increase in inquiries related to PCI compliance. Major card issuers such as Visa, American Express, and Mastercard are expected to communicate these updates in the coming weeks via email. We recommend that organizations stay informed and be prepared to address any queries regarding the implications of these changes on their PCI compliance status.
Staying compliant with PCI DSS is a continuous journey, and the upcoming changes highlight the need for organizations to be proactive in their approach to payment security. By understanding and implementing the evolving requirements, businesses can not only ensure compliance but also enhance the overall security of their payment systems. As April 1st approaches, it’s essential to stay vigilant and adapt to these changes to maintain a secure environment.
Inquiries & Press Contact:
Jeremy Louise, VP of Sales & Business Development