The Payment Card Industry Data Security Standard (PCI DSS) is focused on protecting cardholder data. As fraud and cybercriminals evolve, so must the standards by which organizations secure data, which is why we’re in a phase of PCI DSS v4.0 Transition.
The aim of the PCI Security Standards Council is for PCI compliance to be adopted into day-to-day operations as opposed to a yearly task. By treating PCI compliance as an ongoing practice, organizations can reduce business risk and improve security.
The PCI DSS continues to evolve since its introduction in 2004, with the latest update happening in 2018. However, the new version, 4.0, will roll out with the expectation of full compliance by 2025. We look at some of the key things to know during the PCI DSS v4.0 transition.
Focus on Secure Configuration Management
The previous version of the PCI DSS was largely focused on singular topics like passwords and the like. The newer version takes a broader approach to requirements, emphasizing secure configuration management, which can include things like vendor-supplied default passwords.
Again, the goal is not to treat compliance as an annual task to check off, but rather to incorporate secure configuration management into routine operations and business processes. This means that, while technical configurations are still important, the focus should be on a mindset that embraces secure configuration management. So every time new procedures or processes are created, organizations should consider how they can be more secure and compliant with the PCI standards.
Embrace an Organizational Approach
For organizations that have found themselves scrambling to complete audits, this shift should be welcomed. While “point in time” audits can be helpful, the new focus is on broader security processes rather than compartmentalized ones. Rather than assigning certain technical controls across different departments, organizations should consider centralizing security and compliance responsibilities via GRC teams or another similar approach. Again, the focus is on filtering all operational processes through the security and compliance lens, regardless of department or responsibility. With an onslaught of emerging and constant threats, reliance on singular audits is no longer a viable security approach.
Cardholder Data is Now Account Data
Some wording has changed in the new standard, including the switch from “cardholder data” to “account data.” Account data seems more general, meaning there may be a broader impact for organizations. To give a more concrete example, the new standard would apply to data, even data that is stripped of card number information. In other words, stripped data storage is now held to the same standard as a full data set, likely increasing the scope of PCI audits.
Getting Familiar During the PCI DSS v4.0 Transition
The transition period is meant to allow organizations to get familiar with the changes present in v4.0 while making the necessary update to reporting templates and planning for organizational changes that will allow them to meet the updated requirements.
At Arrow Payments, we understand how complex PCI compliance can be. Our seasoned team of payments professionals is experts at providing guidance and recommendations as you navigate the PCI DSS v4.0 Transition. If you would like to speak to someone about your unique scenario, please contact us today.