MFA, Firewall Changes Among PCI SSC v4.0 Updates
MFA, Firewall Changes Among PCI SSC v4.0...

MFA, Firewall Changes Among PCI SSC v4.0 Updates

Global payment data processes will have expanded security standards based on industry feedback

Jason Koestenblatt Team Lead, Content Marketing

clock3 Min Read

Featured Image

In an effort to enhance security measures around credit card payment systems while also updating terminology to support a broader range of technologies, the Payment Card Industry Security Standards Council (PCI SSC) announced an update to its Data Security Standard (DSS) v3.2.1 based on the input of more than 200 companies. 

Through March 2024, v3.2.1 will be phased out while the PCI SSC phases in v4.0, which was driven by industry feedback, according to the organization. There were more than 6,000 pieces of feedback received from businesses in the global payments industry, focusing on four specific goals, including: 

Continue to meet the security needs of the payments industry 

  • Expanded multi-factor authentication requirements 
  • Updated password requirements 
  • New e-commerce and phishing requirements to address ongoing threats 

Promote security as a continuous process 

  • Clearly assigned roles and responsibilities for each requirement 
  • Added guidance to help people better understand how to implement and maintain security 
  • New reporting option to highlight areas for improvement and provide more transparency for report reviewers 

Increase flexibility for organizations  

  • Allowance of group, shared, and generic accounts 
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities 
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives 

Enhance validation methods and procedures 

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance 

Wider, more flexible security implementations

“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, SVP, Standards Officer of PCI SSC in a statement. “Version 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”  

While the rollout of the updates will continue globally for several months, PCI SSD has released its Report on Compliance Template, Report on Compliance Attestations of Compliance, and Report on Compliance Frequently Asked Questions. The organization said Self-Assessment Questionnaires will be released in April 2022.  

“One of the key aspects to the update is the new embedded flexibility for organizations to address their specific security objectives and corresponding controls given the evolving technological and cyber threat environment,” said Justin Henkel, Head of the CISO Center of Excellence at OneTrust. “Overall, PCI Security Standard Council’s inclusion of changes recommended by the industry promotes a community approach to addressing security challenges and will improve standards’ effectiveness and industry uptake.” 

The PCI DSS is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v.4.0 will give companies the ability to expand definitions and use of technology to address the ever-growing threat landscape. The v3.2.1 has been in effect since May of 2018.  

How does OneTrust help?  

OneTrust delivers an integrated platform for risk management, specifically across IT, Security, and Third-party risk management. Organizations can scale collaboration by sharing automation best practices from assessments and automated workflows with the proper tooling. More importantly, third-party risk teams collaboratively share information with risk-adjacent programs and ease friction across traditionally manual collection points.  

Contact our team to learn more about how OneTrust can help streamline information gathering and remediation activities with tailored functionality and automation backed by compliance intelligence.   

You Might Also Be Interested In


JUN 08, 2022

The New Digital and Data Strategy in the EU and UK: DMA, DSA and the UK Online Safety Bill

MAY 18, 2022
Consent and Preferences

IAB TCF 2.0 Checklist for Publishers

JUN 01, 2022
Privacy Automation

From Data Compliance to Data Intelligence

JUN 01, 2022

7 Ways Trusted Brands Promote Their Security, Privacy, Ethics, and ESG Programs

JUN 01, 2022
Regulations

Thailand Personal Data Protection Act Takes Effect

MAY 16, 2022
Third-Party Risk

OneTrust is a Leader in Third-Party Risk Management Platforms

MAY 26, 2022
GRC

How successful security teams manage risk to build trust and drive growth

JUN 02, 2022
Privacy Automation

OneTrust and Microsoft Come Together to Automate Employee Rights Requests

BackToTop
Onetrust All Rights Reserved