Hot Topic: PCI 4.0
We’ve written a few times about PCI DSS compliance here and here, but you should also know that the PCI Security Standards Council announced earlier this year that it has started planning the fourth version of the PCI DSS. If you’ve read our previous articles, you know that the PCI DSS is a set of requirements that helps businesses, organizations, and institutions keep cardholder data safe by minimizing fraud and preventing and mitigating cyberattacks and data breaches.
Any higher education institution that processes credit card payments must remain PCI compliant. This includes undergoing annual PCI DSS audits and adhering to the standards set forth in the most recent version of the PCI DSS.
What’s New With Version 4.0?
According to the PCI Security Standards Council website, version 4.0 has several goals:
To continue to meet the security needs within the payments industry
To enhance security through added flexibility and additional methodologies
To advocate for security as an ongoing process
To strengthen validation procedures and methods
The website also makes clear that this new version of the standard will be based upon industry feedback, including the 2017 request for comments (RFC) from global stakeholders. Some specific areas that will be addressed include:
Guidance on authentication and NIST MFA/password
Encryption of cardholder data on trusted networks
Monitoring requirements in light of technology advancement
Increasing frequency of the testing of critical controls
What Else Do I Need to Know?
PCI DSS v4.0 will not fundamentally change the 12 core PCI DSS requirements, though it does seek to address and accommodate technology advancements, risk mitigation techniques, and the overall threat landscape in payments. The new standard may also present enhanced controls and methods to better support organizations in meeting security objectives and to provide greater flexibility.
Currently, the timeline for release of PCI DSS v4.0 is no earlier than late 2020. PCI SSC will be conducting more RFC periods with stakeholders before the publication of the new standard, so the exact release date will at least partially be dependent on feedback received during these RFC periods.
Why the Change?
PCI DSS 3.2 became the official requirements on February 1, 2018. Since then, both payments technologies and methodologies for handling card payments have changed quite a bit. Unfortunately, cybercriminals have evolved rapidly as well, exposing new vulnerabilities within payments systems. PCI DSS 4.0 is geared towards addressing these changes and helping organizations remain effectively secure amidst a quickly changing landscape.
Between the adoption of contactless payments and cloud technology, new security risks are emerging daily. These technologies are creating more dependencies on third parties when it comes to payment processing, requiring additional protocol to ensure all parties remain secure. The issues around third party security will continue to proliferate with the rise of Open Banking in the EU via the revised Payment Services Directive (PSD2).
What Do I do to Prepare?
Since the new standard will likely not go into effect until late next year, those responsible for PCI compliance at their respective universities are not required to do anything…yet. That said, it can be helpful to ensure that you remain compliant with the current PCI standards until then.
Arrow Payments specializes in PCI DSS compliance for higher education institutions. We understand the burden of coordinating across multiple business units and campuses and have deep expertise in keeping your payments secure. Whether you’re looking to build out a robust, secure payment system architecture or implement new solutions, we can help. Like the other colleges and universities we’ve partnered with we can help you reduce PCI scope, so you are prepared for anything when the new standard is released. Contact us today and learn how we can help you simplify PCI compliance.