What Does PCI DSS V4 Mean for Businesses?

Consumers expect their data to be safely stored wherever it is held. In some cases, to ensure data security, international regulations like GDPR have been enacted by governments, but in others, private companies set the bar. The Payment Card Industry Security Standards Council (PCISSC) is a global forum created to increase the security standards for safe payments across the globe.

What is the PCISS?

Founded in 2006 by American Express, Discover, JCC International, MasterCard and Visa Inc., the PCISSC is an organisation based around four main pillars:

1) Increasing industry participation and knowledge
2) Evolving security standards and validation
3) Securing emerging payment channels
4) Increasing standards alignment and consistency

As a part of its commitment to evolve security stands, the PCISSC created the Payment Card Industry Data Security Standard (PCI DSS) that lays out the minimum necessary technical and operational requirements for protecting payment data. These guidelines are periodically updated in line with new threats, with Version 3.2.1 published in 2018. However, purchasing habits have radically changed in the interceding time – point-of-sale machine use has massively increased, technology has evolved and many more organisations are using cloud-based services.

As a result, PCI DSS Version 4 was announced in March 2022.

Malware is constantly evolving, so security protocols have to evolve too

What’s different in PCI DSS Version 4?

Many of the key requirements merchants have been adhering to in previous versions of the PCI DSS have remained the same in Version 4, but some have been redesigned to allow for flexibility in how the requirements are met. Below are some of the key changes businesses should be aware of.

Protection against malware

Malware is constantly evolving, so security protocols have to evolve too. Version 4 states that periodic compliance tests will no longer be enough to meet the security standards. Instead, security must become an ongoing process, with increased data checkpoints that aim to increase overall security.

Included in this is the stipulation that each PCI DSS requirement has an assigned member of staff, and that there must be more in-depth reporting that will improve and provide increased transparency.

Also, under the new guidelines, every 12 months, or when significant changes to the data environment occur, businesses will have to locate and account for all sources and locations of non-encrypted (cleartext) primary account numbers (PAN). This will help fight against malicious code, as cardholder data is often most vulnerable during transmission.

More flexibility for security

The updated guidelines have removed specified language such as ‘firewalls’ and ‘routers’ in a bid to allow businesses to adapt to the ever-widening array of tech solutions. Businesses can now use customised implementation to find their own way to meet the requirements; as long as they meet the required intent, they are considered valid, removing the need for often burdensome compensation controls.

Personal security requirements

PCI DSS V4 has also made it clear that individual members of staff with access to cardholder data will have to increase their own security measures. Previously the minimum length of passwords was seven characters. Version 4 requires all passwords to be at least eight characters, rising to 12, if the business’ system allows it. Passwords must also be changed at least once every 12 months, privileges reviewed every six months, and third-party accounts can be monitored and must only be enabled when necessary.

It is also very possible that in future versions of the PCI DSS, passwords will be completely replaced by new methods of security, with V4 arguably making moves in this direction. The new regulations state that each person with access to data requires their own unique ID – however, for many businesses using a physical token can become a logistical nightmare. Two- or three-step authentication or even biometric factors are already being implemented, with the possibility of physical or behavioural biometrics becoming increasingly commonplace in the coming years.

Businesses that fail to comply with PCI DSS open themselves up to massive penalties

How should businesses react to PCI DSS V4?

While the guidelines were released this year, the PCISSC has allowed a transition period of two years for businesses to get up to date – this means that PCI DSS V4 guidelines will not be enforced until March 2024.

However, we have outlined five key ways businesses can help ensure they are ready when the time comes:

1) Review and understand the entirety of the update requirements
2) Compare existing policies and procedures to the new version’s requirements
3) Establish a member of staff or team to oversee the transition
4) Remove all unnecessary data from systems
5) Update, regularly test, and closely document all security activities

What happens if businesses fail to comply?

Businesses that fail to comply with PCI DSS open themselves up to massive penalties. Most notably are fines ranging from $5,000 to $100,000 a month by the PCISSC founding credit card companies. However, more long-lasting is the effect it can have on company reputation. Consumers expect that each time they enter their card details or tap a machine, they are doing so safe in the knowledge that their data is secure. Non-compliance with PCI DSS guidelines could seriously damage brand reputation, resulting in a loss of sales and increased customer churn.

Security matters to consumers; make sure they know it matters to you too.