This is what you need to know about the new changes to PCI-DSS 4.0

The latest revision of the Payment Card Industry Data Security Standards, version 4.0, has now been released.

The PCI Security Standards Council issued version 4.0 of the PCI Data Security Standard (PCI-DSS) on March 31, 2022. PCI-DSS v4.0 replaces PCI-DSS version 3.2.1 to address emerging threats and technologies and provide innovative ways to combat new threats.

There are sixty-four new requirements in PCI-DSS v4.0. Some of these requirements are effective immediately for all PCI-DSS v4.0 assessments, but most of these remain best practices for now and will not come into effect until March 31, 2025.

The twelve core PCI-DSS requirements did not fundamentally change with PCI-DSS v4.0, and they remain the critical foundation for securing payment card data.

However, the requirements were redesigned to focus on security objectives and to guide how security controls should be implemented. It’s also worth noting that PCI-DSS v3.2.1 will be retired on March 31, 2024.

 

What is New in PCI-DSS v4.0?

The goal of the updated security payment standard is to “address emerging threats and technologies and enable innovative methods to combat new threats,” per the PCI Security Standards Council. Some of the key high-level objectives are:

1) Continue to meet the security needs of the payments industry.

Why it’s important: Security practices must evolve as threats change.

Examples:

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements to address ongoing threats

 

2) Promote security as a continuous process.

Why it’s important: Criminals never sleep. Ongoing security is crucial to protect payment data

Examples:

  • Clearly assigned roles and responsibilities for each requirement
  • Added guidance to help people better understand how to implement and maintain security
  • New reporting option to highlight areas for improvement and provide more transparency for report reviewers

 

3) Increase flexibility for organizations using different methods to achieve security objectives.

Why it’s important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.

Examples:

  • Allowance of group, shared, and generic accounts
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives

 

4) Enhance validation methods and procedures.

Why it’s important: Clear validation and reporting options support transparency and granularity.

Example:

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

 

 

Cloud-Native Applications and PCI-DSS Compliance

Securing access to payment cardholder data, as required by PCI-DSS, can pose a significant challenge when organizations deploy applications across multiple environments, with no permanence of location or traditional network segmentation.

As such, compliance must meet requirements from the infrastructure to the operating system and then to the network level. Cloud architectures add complexity. They require changes in how organizations govern, monitor, and audit access, privileges, and networking.

Traditional security tools cannot track changes and provide the context in such environments. They will not ensure the same levels of compliance as they have in those infrastructures.

Cloud-native technology introduces dramatic changes to application development. It sometimes involves open-source components, potentially introducing new vulnerabilities, and evading security processes based on existing version and configuration management. It also accelerates the software development timeline, which puts pressure on established security practices.

Cloud-native environments impact PCI compliance in a few key areas:

Network Security
Containerized and serverless applications introduce challenges in tracking where your workloads are running. The network connections between the different workloads should be identified to prevent intrusion.

Vulnerability Management
Cloud-native applications that use open-source components may contain vulnerabilities. These applications should be monitored for security vulnerability information, and mitigated before being used in production.

Access Control
Workloads should be accessible only to individuals with specific job-related needs.

Threat Analysis and Mitigation
One of the pillars of any given cloud-native environment is its policy-based security rules that can maintain an automated check for ongoing monitoring and prevention of malicious activity.

Data Protection, Real-time Visibility, and Event Auditing
Access to PCI-sensitive data and systems must be logged and audited. Access to these files must be restricted and backed up regularly. When working with containers, existing audit methods may not have sufficient functionality to track this kind of data in a cloud-native environment.

Stronger Authentication Requirements
Identity and access management (IAM) plays a crucial role in safeguarding cardholder data, and the new version of the standard recognizes that.

As the payments industry has gradually moved towards cloud infrastructures, stronger authentication standards for payment and control access logins are necessary. PCI-DSS 4.0 considers the following key points:

  • Multifactor authentication (MFA) usage for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment
  • Passwords for accounts used by applications and systems must be changed at least every twelve months and upon suspicion of compromise
  • Strong passwords for accounts used by applications and systems, which must contain at least fifteen alphanumeric characters. PCI-DSS requires that the prospective passwords be compared against the list of known bad passwords
  • Access privileges must be reviewed at least once every six months
  • Vendor or third-party accounts may be enabled only as needed and monitored when in use

The PCI-DSS 4.0 standard is built with a zero-trust mindset, permitting organizations to build their own unique, pluggable authentication solutions to meet the data security regulatory requirements. At the same time, authentication methods can scale to fit the company’s transaction objectives and risk environment.

Ensure Compliance with Multi-Factor Authentication
Multi-factor authentication has become vital in ensuring secure access to systems and other valuable resources. It provides superior safety measures when attempting to access systems and financial applications, and is also an important requirement to comply with regulations such as PCI-DSS 4.0 and GDPR. MFA prevents access to phishing websites or spoofing applications, the added security layers provided by MFA help to keep you from falling for these types of traps.

Modern authentication methods represent a more robust security structure than simple passwords. They also provide a better user experience when logging into applications. MFA makes it easier for auditors to get answers to critical compliance questions.

MFA provides valuable information, such as which users are granted access to which system and how the access policy is enforced. Additionally, some of the modern MFA applications available today also include reporting capabilities. That ensures that compliance standards, such as PCI-DSS, are met.

CSP Authenticator+® provides multi-factor authentication for NonStop servers and supports various authentication methods. It can be used as a Safeguard SEEP or with Pathway and non-Pathway applications. Almost any application, including TACL, can now easily support multi-factor authentication.

The new CSP Authenticator + cloud-native application was developed using a modern cloud-based framework. This redesign focuses on providing security, flexibility, and scalability.

Multiple authentication methods such as RADIUS, Active Directory, RSA, and Open LDAP are supported. Additional authentication methods include Email, Text Message, and Google Authenticator.

New features:

  • New cloud-based framework – A new cloud-native application built using modern technologies
  • Support for Kubernetes Helm deployments – easy to deploy in cloud environments using Kubernetes framework
  • Support for High Availability environments – Create highly available Kubernetes clusters for resiliency
  • No differentiation between Primary and Secondary authentication – users can choose any mix of available authentication methods, and even choose more than 2 authentication methods
  • Application-based authentication methods are now supported, and more authentication methods are being added. Authentication methods currently supported include RSA, LDAP, Active Directory, RADIUS, Google and Microsoft authenticator, OTP via Email, and OTP via SMS
  • Set different authentication methods for different user groups and privileged groups
  • Redesigned user interface makes it more intuitive and user friendly
  • Maintain a matrix of authentication profiles, policies (authentication methods), and users
  • Support for various databases, including Amazon S3, Atlas Cloud service, MongoDB, etc.

Benefits:

  • Protect valuable resources and data
  • Add layers of authentication for secure access to systems and critical applications
  • Address PCI compliance requirement 8.3 which requires multi-factor authentication for all personnel with remote access, and non-console administrative access to the cardholder data environment
  • Integrate with centralized ID management systems to effectively manage users

 

CSP Authenticator+ Key Features:

  • Support for multiple authentication factors including RSA, RADIUS, Active Directory, LDAP, Microsoft, Google, OTP
  • Create various profiles and policies for different sets of users, and applications
  • Ability to use more than two authentication methods
  • Provides standardized authentication across platforms
  • Configure for all or only selected/privileged users
  • Fully encrypted communications with cloud-native application
  • Supports various databases
  • Support for new authentications methods
  • Supports TACL, Pathway, and Non-Pathway applications

CSP – Compliance at your Fingertips®

For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com

HPE PartnerOne Insignia.jpegWe Built the Wiki for NonStop Security ®

The CSP Team

+1(905) 568 –8900

 

Author


  • Henry Fonseca is a business professional with a background in branding, market development, customer relations, and financial management. As CSP's General Manager, Henry continues to develop an integrated marketing and business strategy to ensure that our solutions exceed customer expectations. Henry is an engaging and dynamic speaker who regularly presents on cybersecurity topics at conferences around the world.