Visa Europe revealed important stats about the usage of Contactless Cards.
Poland, Spain and the UK use this payment methd the most,
with UK usage growing by 300% year over year.
What is new in PCI DSS 4.0?
Advantio Team November 20, 2023
10 minutes read
The Payment Card Industry Data Security Standard (PCI DSS) has been the bedrock of cardholder data protection since its launch in 2006. With the implementation deadline of March 31st, 2024 rapidly approaching, the standard has undergone a significant transformation since its previous version to address the evolving demands and complex nature of modern cyber threats.
Continuous monitoring and testingand introduce new technical and operational requirements for achieving compliance.
The Goals of PCI DSS 4.0
The update to the standard is driven by four main objectives:
To keep pace with the changing payment industry: As the industry advances, the standards must also progress to maintain relevance.
To promote continuous security: Security must be an ongoing endeavor, not a one-time checklist.
To provide flexibility in maintaining payment security: The standard now recognizes the diversity of technologies and processes, allowing for more customization.
To improve validation methods and procedures: The methods for validating compliance must be as strong as the security measures they aim to verify.
Key Developments in PCI DSS 4.0
Introduction of the Customised Approach
The most significant change from PCI DSS 3.2.1 to 4.0 is the introduction of the Customized Approach. This concept allows entities to move beyond the traditional 'Defined Approach', which requires strict adherence to the technical controls as specified in the standard. Instead, with the Customized Approach, entities have the flexibility to select controls that they deem most suitable for their environment to manage associated risks. This offers greater adaptability and the ability to embrace innovative solutions. In PCI DSS v4.0, entities have the choice to use either the Defined Approach or the Customized Approach, depending on their specific needs and circumstances.
Updated and New Requirements
Alongside the Customised Approach, PCI DSS 4.0 has updated existing requirements and introduced new ones to mitigate emerging threats. Key updates include:
Strengthened authentication controls, with a particular emphasis on multi-factor authentication.
Enhanced password complexity, with the minimum length requirement, increased from eight to twelve characters.
New guidelines for the management of shared, group, and generic accounts.
Clearly articulated roles and responsibilities for each requirement.
Payment page script integrity
Encryption of sensitive authentication data (SAD)
Prevention of copying and/or relocating of the primary account number (PAN) when using remote-access technologies
Necessity to detect and protect personnel against phishing attacks
Automated mechanisms to perform audit log reviews
Intrusion-detection/prevention techniques to detect, alert on/prevent covert malware communication channels
The Self-Assessment Questionnaires and the Report on Compliance template have been greatly expanded in levels of detail and doubled in size. Audited organizations are now under a lot more scrutiny to achieve compliance.
For organizations that are already PCI-validated, it is crucial to review the changes in PCI DSS 4.0 and begin planning for the transition. This should involve consulting with a qualified security assessor to understand the implications of the new Customized Approach and other changes.
Summary of Changes
The PCI Security Standards Council has made substantial updates to the standard, reflecting the need to stay current with the evolving threat landscape and technological advancements. These changes affect a broad spectrum of requirements and will have implications for all entities that handle cardholder data.
We've got your back during this transition with:
Quick half-day remote workshops to comprehend core changes and plan your strategy accordingly.
In-depth Technical Gap Analysis for a solid understanding of the new standard.
Established in 2009, Advantio offers a comprehensive portfolio of professional, managed, advisory, and security testing services. Our subject matter expertise and services focus on cybersecurity, data protection, risk, and compliance with a distinct specialization in the ‘Payment Card Industry.’ We believe that for your organization to compete and grow in a rapidly evolving environment, investing in the right partner and technology is crucial to help you focus better on your core business. Our team works tirelessly to help you achieve, maintain, and demonstrate compliance against the most demanding cybersecurity standards and regulatory frameworks on time and on budget. With a strong presence across Europe and global reach on four continents, we have become the partner of choice for many large corporates and international enterprises. Our clients span a diverse range of fintech suppliers and fintech consumers in verticals such as travel, hospitality, telecommunication, financial, healthcare, education, entertainment, government, non-profit and more.