CISO Perspectives: PCI DSS 4.0

May 14, 2024 | 8 minute read
Leia Manchanda
Field CISO
Text Size 100%:

Introduction

At Oracle we have always strived to help people see data in new ways, discover insights, and unlock endless possibilities.  We understand that business is driven by the need to compete in a digital world where the value of data is unlimited.  However, with innovation comes evolving risks that are compounded by the state of the threat landscape, as hackers race to profit from weaknesses in organizational defenses, and executives face the conundrum of where to invest to ensure emerging technologies are both evolving and secure. 

As Financial Service Industry and its customers lean into a digital banking landscape, protecting customer data is foundational.  Data risk associated with digital payments is expected to reach an all-time high with transactions averaging an increase of over 25% year-over-year. Couple this with the ever-evolving cybersecurity landscape and it highlights why security requirements are more critical than ever. 

In 2004 as a response to growing concerns over payment fraud, credit card industry leaders including American Express, Discover Financial Services, JCB International, Mastercard and Visa, formed the Payment Card Industry Security Standards Council (PCI SSC) to collaboratively develop a common set of security standards they would implement to protect payment card data.  The resulting framework PCI Data Security Standard (DSS) provided a baseline of technical and operational requirements designed to protect account data. 

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a security framework applicable to any organization that stores, processes, or transmits cardholder data.  The standard was developed to encourage and enhance payment card data security and facilitate the broad adoption of consistent data security measures globally.

While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment and technology ecosystems.  The standard consists of the 12 PCI DSS principal, detailed security requirements, and corresponding testing procedures spread across 6 goals. 

Goals

Requirements

Build and Maintain a Secure Network and Systems

  1. Install and Maintain Network Security Controls.
  2. Apply Secure Configurations to All System Components.

Protect Account Data

  1. Protect Stored Account Data.
  2. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Maintain a Vulnerability Management Program

  1. Protect All Systems and Networks from Malicious Software.
  2. Develop and Maintain Secure Systems and Software.

Implement Strong Access Control Measures

  1. Restrict Access to System Components and Cardholder Data by Business Need to Know.
  2. Identify Users and Authenticate Access to System Components.
  3. Restrict Physical Access to Cardholder Data.

Regularly Monitor and Test Networks

  1. Log and Monitor All Access to System Components and Cardholder Data.
  2. Test Security of Systems and Networks Regularly.

Maintain an Information Security Policy

  1. Support Information Security with Organizational Policies and Programs.

Evolution

Fast forward twenty years to 2024 and the PCI Security Standards Council remains focused on continual improvement in the context of the way the industry operates. Specifically, it is concerned with enhancing the way businesses handle such things as the development, storage, dissemination, and security for data.

As threats and technology evolve, so do PCI DSS standards and after much deliberation the PCI Security Standards Council (SSC) released version 4.0 of the Data Security Standard (DSS).

At a high level, PCI DSS 4.0 is designed to further secure cardholder data by helping organizations take a more holistic view of security measures, and to respond to new threats posed by advances in technology.

There are four primary drivers of the changes:

  • Ensure the standard evolves to meet the security needs of the payments industry.
  • Promote security outcomes as a continuous process.
  • Enhance testing and validation methods and procedures.
  • Add flexibility and support of additional methodologies to achieve security.

The Council’s goal of bringing the PCI DSS standard up to date with current technologies and the threat landscape ultimately means revising requirements.  The current revision is focused on security outcomes rather than simple prescription, and spans six areas including:

1

Flexibility

Flexibility will offer enterprises a choice on custom or standard implementation and focus on security outcomes rather than prescriptive methods in the defined approach.

2

Security

Security enhancements ensure the protection of data through stronger security standards that promote security outcomes through a continuous and governed approach as data is processed, stored, and transmitted.

3

Authentication

More focus is placed on applying stronger NIST aligned, authentication standards to payment and control process access logins, and during transaction authorization.

4

Encryption

Broader cryptographic best practices and insight on how to fully protect network transmissions across the full scope of the transaction including cloud, mobile and IoT.

5

Monitoring

The adoption of risk-based solutions allows organizations to comply with standards while gaining faster deployment of processes without having the technology located in a specific control area.

6

Testing

The new version requires a higher level of critical control validation, which includes a significant increase in the amount of testing required.

image 2 Timeline 

PCI SSC has prescribed a transition period from 2022 to 2024/25, giving organizations time to become familiar with the new version, update reporting systems, and plan for and implement changes to comply with the updated requirements. 

Key milestones include:

  • March 2022 - PCI DSS version 4.0 published.
  • March 2024 - PCI DSS v3.2.1 is replaced with 4.0.
  • March 2025 - PCI DSS 4.0 goes into full effect. 

Impact

While PCI DSS 4.0 impacts the entire payment card supply chain, how the controls are implemented and by whom varies based on the environment.  For example, organizations with cloud footprints may share responsibility with cloud service providers, whereas customers with a mostly on-premises environment may carry the bulk of the responsibility alone. 

Understanding the providers shared responsibility model is important when planning and deploying the new model or conducting validation.