New payment security standards create new opportunities for online financial companies
New security standards released a month ago promised to create a much more secure environment for card payments.
PCI DSS 4.0 is supposed to give businesses “more flexibility,” while allowing them to select and use their own solutions to meet PCI DSS’s security objective, according to a statement.
Indeed, given that malicious code downloads and intrusions have become perhaps the toughest challenges for financial firms in recent months, this standard should better help recover card data. But this major update to the PCI data security standard – the first since 2018 (version 3.2.1) – aims to “address emerging threats and technologies and enable innovative methods to combat new threats” to information of customer payment, according to PCI security standards. Advice.
“PCI DSS 4.0 is the next evolution of the PCI DSS standard,” said Sean Smith, manager of PCI consulting services at Optiv. “And, at a very high level, the total number of possible checks increases from 370 to over 500 checks. These controls are used for PCI DSS compliance assessments.
Additionally, the pandemic has fueled far more digital card payments as individuals and businesses choose to shop more online rather than having to travel to stores and risk exposure to COVID. According to the council, in addition to meeting security needs and being more “flexible”, the primary goals of PCI DSS 4.0 are to “promote security as an ongoing process” and “to improve methods and procedures of confirmation”.
“While PCI DSS 4.0 retains the existing prescriptive method for compliance, the new version introduces an alternative option for achieving compliance: custom implementation,” according to the board statement. “Custom implementation takes into account the intent of the objective and allows entities to design their own security controls to meet it.”
Marc Punzirudu, Director of Field Technology for PKWARE, said, “The changes to PCI DSS v4.0 have several reasons: to encourage the status quo, to create flexibility, to remove some gray areas and to move towards modern security. . They have all been identified as areas related to v3.2.1 weaknesses. »
Punzirudu pointed out that the three types of changes to the standard can be categorized under: structure and format, clarification and direction, and changing requirements.
The third is the most important, and the one where organizations are likely to focus their efforts the most due to changes in controls and requirements, according to Punzirudu.
“The defined approach is the traditional method of implementing and assessing PCI scope,” said Punzirudu, “while the new custom approach provides organizations with mature security programs the flexibility to map their information security directly on the PCI DSS”.
The new PCI DSS standard aligns with the recently released NIST guidelines on digital identities for authentications and IT management. Therefore, the new PCI standard provides for access to cardholder data, account passwords for applications and systems that must be changed once a year, the use of strong passwords containing at least 15 characters including numeric and alphabetic characters, access privileges reviewed every six months and restrictions on third-party accounts.
With the introduction of this new standard, the PCI Council expects: documented accountability requirements; targeted PCI risk requirements (with automated phishing detection required); stronger e-commerce firewalls and better protection on payment pages; automated reviews and alerts for Security Information and Event Management (SIEM); invulnerability analysis, data governance and incident response; longer and more complex passwords (12 characters instead of 7, etc.) and forced rotation of passwords every three months, as well as the forced use of multi-factor authentication.
For the time being, the previous version 3.2.1 of PCI DSS will remain the standard, until it is retired at the end of the first quarter of 2024; and even them, PCI DSS 4.0 includes several practices or maintaining controls that will remain in place until the first quarter of 2025, according to Smith.
“The sooner gaps are identified in compliance with PCI DSS 4.0 requirements, the sooner projects can be planned, budgets requested, and work can begin to address compliance gaps,” Smith said.