Visa’s new Atlanta office lets employees ‘choose their work environment’February 15, 2023
Point-to-Point Encryption vs Hosted Order Page which is right for you?March 11, 2023
What a whirl wind the past few years have been! Every industry has been affected by the pandemic in one way or another, let’s discuss what changes have taken place in the Payments industry.
A surge in online purchases, point-of-sale (POS) devices and cardholder data being sorted on cloud platforms are amongst a number of changes that have taken place.
As a result, these changes are included in the latest version of PCI DSS 4.0. For a comprehensive view of all the changes, you can review the Summary of Changes document from PCI DSS version 3.2.1 to version 4.0 available in the PCI SSC Document Library. Below we will briefly highlight key changes.
PCI DSS 4.0 had a formal release date of March 2022, if you have not yet upgraded the older PCI DSS version 3.2.1 will be operational for the next 2 years so you have time to adjust. Among other upgrades, PCI DSS 4.0 welcomes an alternative to achieve compliance – customized implementation and is based on a zero-trust model. Allowing businesses to customize a unique authentication solution to achieve data security regulatory requirements.
PCI DSS 4.0 has replaced the anti-virus programs in 3.2.1 with anti-malware programs that cover a wider range of technologies and security practices, creating safer and better systems. Industry feedback has led to multi-factor authentication becoming compulsory and further protection of payment data with new controls to address sophisticated cyber-attacks. 12 core PCI DSS requirements did not change, but instead have been redesigned to focus on security objectives and creating a guide for how security controls should be implemented.
Overall, goals for PCI DSS 4.0 are simple: ensure the standard continues to meet the security needs of the industry, promote security as a continuous process and to enhance validation methods and procedures. The Payments Industry is evolving and gradually moving to the cloud. These changes require stronger authentication standards for payments and access logins.
What about the merchants, how does PCI DSS 4.0 impact them? With the previous version 3.2.1, if the merchants could not meet the prescriptive controls, they would then need to propose a compensating control and justify it with a risk assessment and compensating control worksheet (CCW). While this option is still available in V4.0 there is an additional option to customize control. This customized approach still retains the requirement to evaluate risk, but it allows for a more strategic pathway to meet a control. Instead of compensating for the lack of a control, the customized approach allows the merchant or service provider to document a different control based on the objective of the control that is being customized.
The payments industry is changing and so is our software, be sure to stay in the loop and subscribe to our newsletter for the most up to date information.