PCI DSS v4.0 Brings Changes to Payment Card Regulations
At the end of March, the Payment Card Industry Security Standards Council (PCI SSC) published version 4.0 of its PCI Data Security Standard (PCI DSS). PCI SSC said in a statement the latest version will address emerging threats and technologies and enable innovative methods to combat these new threats.
The latest version of PCI DSS will incorporate several changes. Primarily, the revolve around four main tenets: Continue to meet the security needs of the payments industry; promote security as a continuous process; increase flexibility for organizations using different methods to achieve security objectives; and enhance validation methods and procedures.
For security needs, PCI DSS v4.0 has expanded multifactor security requirements, updated password requirements and new e-commerce and phishing requirements to address ongoing threats.
To promote security as a continuous process, PCI DSS v4.0 now has clearly assigned roles and responsibilities for each requirement; added guidance to help people better understand how to implement and maintain security; and new reporting option to highlight areas for improvement and provide more transparency for report reviewers.
To increase flexibility for organizations, PCI DSS v4.0 now offers allowance of group, shared and generic accounts; targeted risk analyses to empower organizations to establish frequencies for performing certain activities; and customized approaches to implement and validated PCI DSS requirements.
And to enhance validation methods and procedures, PCI DSS v4.0 now has increased alignment between information reported in a report on compliance or self-assessment questionnaire and information summarized in an attestation of compliance.
PCI DSS v3.2.1 will remain active for two years now that v4.0 was published to give organizations the opportunity to become familiar with the latest version and plan for and implement required changes.
Although you have about two years to understand PCI DSS v4.0, it is never too early to partner with a cybersecurity expert like 2W Tech. Call us today so we can help you meet your compliance obligations through our Cybersecurity Compliance Program.