Category: PCI DSS

Join the webinar ‘PCI DSS 4.0 Compliance – Tips and Best Practices to Avoid Last-Minute Panic‘ live on September 26.

While the deadline for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 4.0 requirements isn’t until March 31, 2024, organizations that allow those remaining months to fly by without adequate preparation may face last-minute PCI panic and penalties. The best approach is to steadily reach critical milestones, so you’ll be fully prepared when the deadline arrives.

Join Steven Sletten, Principal Systems Engineer with Fortra’s Tripwire, and Holger Schulze, Founder of Cybersecurity Insiders, for a look at:

– What is changing in the PCI 4.0 update
– How to avoid surprises by streamlining your timeline into a prioritized roadmap
– How to expertly tackle each of the requirements in time.

By starting early, you will be on the right path to making the transition a success.

Save your spot

The post WEBINAR: PCI DSS 4.0 Compliance – Tips and Best Practices to Avoid Last-Minute Panic appeared first on Cybersecurity Insiders.

By Tyler Reguly, senior manager, security R&D at cybersecurity software and services provider Fortra

The pandemic ushered in an unprecedented wave of online purchasing, as people around the world became far more comfortable with virtual shopping. In fact, the U.S. Census Bureau’s latest Annual Retail Trade Survey reports e-commerce expenditures rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.

Cybercriminals everywhere matched the uptick with clever new schemes to filch payment card data and defraud victims of billions of dollars. The Nilson Report estimated $28.6 billion in payment card-related losses occurred in 2020 (over one-third of them in the U.S.). They also predict this number will reach $408 billion in losses by 2030.

Time for change

With the boom in digital commerce paired with the increased popularity of contactless payment and cloud-stored accountholder data, the Payment Card Industry (PCI) Security Standards Council decided to re-evaluate the existing standard. First launched in 2004 and updated most recently in 2018, the PCI Data Security (PCI DSS) standard is continually updated to reflect the evolving challenges of the cyberthreat landscape.

The current version, PCI DSS v3.2.1, is clearly failing to protect cardholder account details effectively in today’s environment. The Council gathered input from 200+ organizations and announced the updated requirements in March 2022, which will become mandatory on March 31, 2024. Organizations also have until 2025 to implement a set of future-dated changes. The full timeline can be found on the PCI Security Council website.

The 12 controls

PCI DSS 4.0 spans 12 controls, several of which have received updates in the latest version. According to the PCI Council, the enhanced requirements promote security as a continuous process while adding flexibility for different methodologies.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security within organizational policies and programs

Changes in PCI DSS 4.0

In looking at the new standard more closely, there are several requirements with notable changes. Below is a high-level overview of the differences between PCI v3.2.1 and PCI v4.0:

Requirement 2: Broader scope defining the need for security configuration management (SCM) on more types of assets.

Requirement 3: “Account Data” instead of “Cardholder Data” indicates a potential increase of scope for PCI assets.

Requirement 4: Less specificity on the type of encryption used means your organization is freer to follow industry best practices. An important takeaway is to internally define what those technical standards are and be able to justify why they are now “Strong Cryptography” so that you can still pass your PCI audit (essentially, just document what standards you are following and why).

Requirement 5: It is no longer sufficient to just have standard antivirus software. This requirement now specifically calls for anti-malware to be in place, necessitating a strong antivirus solution with malware protection or EDR/MDR/XDR solution.

Requirements 7–9: These requirements are primarily the same as before, but the big takeaway is that instead of just enforcing access controls to systems, it’s now requesting this to be done more granularly to specific components such as software, databases, etc.

Your five-step PCI DSS 4.0 transition checklist 

As you get up to speed on how the standard itself has evolved, you’ll begin to understand the potential impact to your own processes and operations. This isn’t a one-and-done type of effort. It will require a phased approach over time. Successful organizations will view the new requirements as an opportunity to strengthen the security mindset across many aspects of their business.

To help you get started, you’ll want to build the following components into your initiative:

  1. Plan a phased implementation according to the PCI timeline
  2. Review potential changes to scope
  3. Conduct a people and process evaluation
  4. Strengthen security configuration management (SCM) processes
  5. Onboard a tool that automates continuous compliance

Go in-depth on how to approach each of these items in this executive guide, the Five-Step PCI DSS v4.0  Transition Checklist. This essential resource helps you understand the requirements of PCI DSS 4.0 and how to ensure your organization is addressing the changes needed to avoid audit fines and data breaches.

Above all, securing payment card information helps protect your customers’ sensitive information and your company’s reputation by preventing costly business disruption in a fast-changing cyberattack environment.

Tyler Reguly is senior manager, security R&D at cybersecurity software and services provider Fortra, responsible for overseeing TACTIC, a team of security researchers that provide the security expertise that powers the company’s Tripwire product line.

In addition to security research, Tyler has worked closely with Fanshawe College, from which he graduated with a diploma in Computer Systems Technology, developing five courses including subjects like Advanced Hacker Techniques & Tactics, Hacking and Exploits, Malware Research, Evolving Technologies and Threats, and Python Programming.

Tyler has contributed to various standards over the years including CVSSv3 and has provided technical editing to a number of published books. In addition, he is a co-founder of the IoT Hack Lab that has been offered at SecTor (Security Education Conference Toronto) since 2015.

Follow Tyler Reguly on Twitter.

The post The Five-Step PCI DSS 4.0 Transition Checklist appeared first on Cybersecurity Insiders.

In March 2022, the Payment Card Industry Data Security Standard (PCI DSS) was updated with a number of new and modified requirements. Since their last update in 2018, there has been a rapid increase in the use of cloud technologies, contactless payments have become the norm, and the COVID-19 pandemic spurred a massive growth in […]… Read More

The post A 5 Step Checklist for Complying with PCI DSS 4.0 appeared first on The State of Security.

The new PCI DSS Standard, version 4.0, contains all the steps, best practices, and explanations required for full compliance.  In fact, even an organization that does not process cardholder data could follow the PCI Standard to implement a robust cybersecurity program for any of its important data. In our series about how the new standard […]… Read More

The post PCI 4.0: The wider meanings of the new Standard appeared first on The State of Security.

As we continue our review of the 12 Requirements of PCI DSS version 4.0, one has to stop and consider, is it possible to have a favorite section of a standard? After all, most guidance documents, as well as regulations are seen as tedious distractions from the importance of getting the job done. However, depending […]… Read More

The post What you need to know about PCI 4.0: Requirements 10, 11 and 12 appeared first on The State of Security.

In Part 1 of this series, we reviewed the first four sections of the new PCI standards. As we continue our examination of PCI DSS version 4.0, we will consider what organizations will need to do in order to successfully transition and satisfy this update. Requirements 5 through 9 are organized under two categories: Maintain […]… Read More

The post What you need to know about PCI 4.0: Requirements 5, 6, 7, 8 and 9 appeared first on The State of Security.

The Payment Card Industry Security Standards Council has released its first update to their Data Security Standard (PCI DSS) since 2018.  The new standard, version 4.0, is set to generally go into effect by 2024, but there are suggested updates that are not going to be required until a year after that.  This, of course, […]… Read More

The post What you need to know about PCI 4.0: Requirements 1, 2, 3 and 4. appeared first on The State of Security.

It’s not often we can say this, but 2022 is shaping up to be an exciting time in information governance, especially for those interested in compliance and compliance frameworks. We started the year in eager anticipation of the new version of the international standard for information security management systems, ISO 27001:2022, soon to be followed […]… Read More

The post PCI DSS 4.0 and ISO 27001 – the dynamic duo appeared first on The State of Security.

The Payment Card Industry Data Security Standard (PCI DSS) is a benchmark with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when it was introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards must […]… Read More

The post PCI DSS 4.0 is Here: What you Need to Consider appeared first on The State of Security.