If your business accepts credit card payments, you need to make sure you’re compliant with the new release, version 4.0, of the PCI DSS regulations, before midnight on March 31st, 2025.
PCI DSS Version 4.0
The Payment Card Industry Data Security Standard (PCI DSS) is the body of regulations that businesses who handle credit card payments (merchants) must comply with.
It was created by the big five credit card companies: Visa, MasterCard, American Express, Discover, and JCB. It comprises a set of security standards that ensure merchants process, store, and transmit card information in a secure way.
The outgoing PCI DSS, version, 3.2.1, has been mandatory since 2018. Its replacement, version 4.0, comes into force at midnight March 31st, 2025. The standard has to keep evolving so that it keeps pace with new threats, and takes into account new technologies and best practices.
Version 4.0 runs to a massive 397 pages long, so we can’t cover everything in it in this article, but we’ve pulled out what are likely to be the big ticket items for the majority of small to medium businesses.
Talk To Your PCI Service Provider
If you use a payment partner such as WorldPay, or Opayo (SagePay’s new name), contact them and find out what they’ve done regarding PCI DSS 4.0, and what remains for you to do.
You might not need to put additional technical measures in place, if:
• You use card terminals provided by your payment processing partner that are encrypted, and provide a secure connection from the terminal to your PCI service provider’s systems
• You do not store any of the numbers from the cards, including the Primary Account Number (the PAN or long card number), the valid to/from dates, and the Card Verification Value (CVV) on the back of a card
• You do not store any of the data encoded in the stripe of the card
• You do not store any of the authentication data
However, if you retain any card data, or process payments in-house, or use payment terminals that access your regular network, then you must satisfy the technical requirements of the standard for increased security.
You might already meet some of the new requirements if you follow current PCI best practices. What PCI DSS 4.0 does, is make the recommended best practices mandatory.
Document Who Does What
Requirements 2 through to 11 all have a Defined Approach Requirements clause. They all state:
“Roles and responsibilities for performing activities in [this requirement] are documented, assigned, and understood.”
In other words, you must document which person is responsible for each of the different requirements. The same person could be responsible for many or all of these.
This is aimed at fostering a best security practices culture in your business. It also makes things simpler if you have an incident, because your teams should know who is going to do what, like an incident playbook. It’ll also provide guidance for auditors, should you be audited.
Speak to your PCI services provider first, and determine what responsibilities they are taking on, and what responsibilities you must shoulder.
The Big-Ticket Changes
These are the major items. As is always the case, the devil is in the details, so we encourage you to review the PCI DSS 4.0 regulations for yourselves.
1. Phishing Attack Defenses
Because about 90% of successful cyber attacks start with a phishing or other social engineering attack, you must have defences against phishing attacks, and you must train your staff to recognize phishing attacks, and other attack indicators.
Cybersecurity awareness training is now mandatory, and must be given to new staff when they join, and at least annually for all other staff.
Staff must be tested, using techniques such as benign phishing campaigns. Failing staff must be retrained and retested.
2. Six Monthly Reviews of User Accounts
Every six months, you need to review the privileges granted to each user account. If they have higher privileges than their job or role requires, their privileges must be amended so that they have the minimum required privileges for their role.
3. Tighter password requirements
The minimum acceptable password length has been increased to 12 characters. Passwords must not be hard-coded in files or scripts.
4. Multi-factor Authentication to Card Data Environment
If you have a Card Data Environment (CDE), access to it must be secured with multi-factor authentication. This can be accomplished using app-based authentication or physical security fobs.
5. Automated Daily Log Reviews
Systems logs must be reviewed on a daily basis, and suspicious activity must be investigated. Note that the log reviews must be done automatically.
6. Penetration Testing and Vulnerability Scans
According to requirement 11.4, internal vulnerability and external penetration scans must be “regularly performed, and exploitable vulnerabilities and security weaknesses are corrected”.
New exposures and vulnerabilities are discovered all the time, which is why the scans need to be repeated periodically. You might already have penetration scans performed by your payment partner.
Vulnerability scans must be performed quarterly. Vulnerability scans are a similar process conducted inside your network, looking for issues such as deprecated software and unsupported or unpatched operating systems.
7. Technical Measures
Depending on your volumes of credit card transactions and their total monetary value, you might be required to implement a Managed Detection and Response system, or an Managed Extended Detection and Response system, which includes Threat Detection and Response.
Intrusion and threat detection systems can detect system compromises that standard anti-virus and anti-malware end-point security cannot. End-point security must still be in place, of course, as it serves a different purpose.
Anti-phishing measures, such as Domain-based Message Authentication Reporting and Conformance (DMARC), need to be utilised.
Act Now, Don’t Delay
If you’re already operating under the PCI DSS, you’ll know that non-compliance can result in your payment partner refusing to process transactions, or impose extra charges until you are compliant once more.
We can’t cover the whole of an almost 400 page document in a short piece like this, so refer to the standard yourself (you’ll need to agree to a free license agreement), and consult your PCI service provider about what responsibility sits with them, and what sits with you, and whether you’re covered because of the nature of your payment terminals.
And of course, Pro-Networks are ready to assist. If you’ve got any questions or concerns, just let us know. We’re always pleased to help.