April 7, 2022
MFA, Firewall Changes Among PCI SSC v4.0 Updates
3 Min Read
In an effort to enhance security measures around credit card payment systems while also updating terminology to support a broader range of technologies, the Payment Card Industry Security Standards Council (PCI SSC) announced an update to its Data Security Standard (DSS) v3.2.1 based on the input of more than 200 companies.
Through March 2024, v3.2.1 will be phased out while the PCI SSC phases in v4.0, which was driven by industry feedback, according to the organization. There were more than 6,000 pieces of feedback received from businesses in the global payments industry, focusing on four specific goals, including:
Continue to meet the security needs of the payments industry
- Expanded multi-factor authentication requirements
- Updated password requirements
- New e-commerce and phishing requirements to address ongoing threats
Promote security as a continuous process
- Clearly assigned roles and responsibilities for each requirement
- Added guidance to help people better understand how to implement and maintain security
- New reporting option to highlight areas for improvement and provide more transparency for report reviewers
Increase flexibility for organizations
- Allowance of group, shared, and generic accounts
- Targeted risk analyses empower organizations to establish frequencies for performing certain activities
- Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives
Enhance validation methods and procedures
- Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance
Wider, more flexible security implementations
“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, SVP, Standards Officer of PCI SSC in a statement. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”
While the rollout of the updates will continue globally for several months, PCI SSD has released its Report on Compliance Template, Report on Compliance Attestations of Compliance, and Report on Compliance Frequently Asked Questions. The organization said Self-Assessment Questionnaires will be released in April 2022.
“One of the key aspects to the update is the new embedded flexibility for organizations to address their specific security objectives and corresponding controls given the evolving technological and cyber threat environment,” said Justin Henkel, Head of the CISO Center of Excellence at OneTrust. “Overall, PCI Security Standard Council’s inclusion of changes recommended by the industry promotes a community approach to addressing security challenges and will improve standards’ effectiveness and industry uptake.”
The PCI DSS is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v.4.0 will give companies the ability to expand definitions and use of technology to address the ever-growing threat landscape. The v3.2.1 has been in effect since May of 2018.
How does OneTrust help?
OneTrust delivers an integrated platform for risk management, specifically across IT, Security, and Third-party risk management. Organizations can scale collaboration by sharing automation best practices from assessments and automated workflows with the proper tooling. More importantly, third-party risk teams collaboratively share information with risk-adjacent programs and ease friction across traditionally manual collection points.
Contact our team to learn more about how OneTrust can help streamline information gathering and remediation activities with tailored functionality and automation backed by compliance intelligence.