PCI-DSS 4.0 is here – This is what you need to know

The latest revision of the Payment Card Industry Data Security Standards, version 4.0, has now been released. The PCI Security Standards Council issued version 4.0 of the PCI Data Security Standard (PCI-DSS) on March 31, 2022. PCI-DSS v4.0 replaces PCI-DSS version 3.2.1 to address emerging threats and technologies and provide innovative ways to combat new threats.

There are sixty-four new requirements in PCI-DSS v4.0. Some of these requirements are effective immediately for all PCI-DSS v4.0 assessments, but most of these remain best practices for now and will not come into effect until March 31, 2025.

The twelve core PCI-DSS requirements did not fundamentally change with PCI-DSS v4.0, and they remain the critical foundation for securing payment card data.

However, the requirements were redesigned to focus on security objectives and to guide how security controls should be implemented. It’s also worth noting that PCI-DSS v3.2.1 will be retired on March 31, 2024.

What is New in PCI-DSS v4.0?

The goal of the updated security payment standard is to “address emerging threats and technologies and enable innovative methods to combat new threats,” per the PCI Security Standards Council. Some of the key high-level objectives are:

1) Continue to meet the security needs of the payments industry.

Why it’s important: Security practices must evolve as threats change.

Examples:

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements to address ongoing threats

2) Promote security as a continuous process.

Why it’s important: Criminals never sleep. Ongoing security is crucial to protect payment data

Examples:

  • Clearly assigned roles and responsibilities for each requirement
  • Added guidance to help people better understand how to implement and maintain
  • security
  • New reporting option to highlight areas for improvement and provide more
  • transparency for report reviewers

3)  Increase flexibility for organizations using different methods to achieve security objectives.

Why it’s important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.

Examples:

  • Allowance of group, shared, and generic accounts
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives

4) Enhance validation methods and procedures.

Why it’s important: Clear validation and reporting options support transparency and granularity.

Example:

Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

The latest revision of the Payment Card Industry Data Security Standards, version 4.0, has now been released.

The PCI Security Standards Council issued version 4.0 of the PCI Data Security Standard (PCI-DSS) on March 31, 2022. PCI-DSS v4.0 replaces PCI-DSS version 3.2.1 to address emerging threats and technologies and provide innovative ways to combat new threats.

There are sixty-four new requirements in PCI-DSS v4.0. Some of these requirements are effective immediately for all PCI-DSS v4.0 assessments, but most of these remain best practices for now and will not come into effect until March 31, 2025.

The twelve core PCI-DSS requirements did not fundamentally change with PCI-DSS v4.0, and they remain the critical foundation for securing payment card data.

However, the requirements were redesigned to focus on security objectives and to guide how security controls should be implemented. It’s also worth noting that PCI-DSS v3.2.1 will be retired on March 31, 2024.

CSP PassPort® and PCI-DSS Compliance

CSP PassPort provides important security features for NonStop servers (with or without Safeguard) and greatly expands the Guardian security package.

While Safeguard provides a range of authorization and authentication controls, additional controls are required to manage how users log onto TACL and OSH, and what privileged commands they can use. In addition to this, once a user has logged on, it is critical to control which activities they can then carry out.

 CSP PassPort addresses some of the following PCI-DSS requirements:

Requirement 7 Restrict access to cardholder data by business need-to-know
Requirement 8 Identify and authenticate access to system components
Requirement 10 Track and monitor all access to network resources and cardholder data
Requirement 12 Maintain a policy that addresses information security for all personnel

 

CSP PassPort

CSP PassPort provides comprehensive user and command control, password quality enforcement and auditing. It controls and filters user access to systems, programs and commands according to customized user profiles. It offers superior user authentication, command control, session control, accountability, and auditing capabilities not available with Guardian or Safeguard security.

All user terminal input/output operations (including OSS) can be monitored via an easy-to-use GUI interface, while an audit process records all user activities.

User Account Update Screen

Major Benefits:

  • Limit user access to sensitive assets, programs and commands
  • Improve user accountability and audit activities
  • Track powerful user id’s and commands
  • Prevent easy hacks by enforcing Password Quality
  • Eliminate the need to disclose sensitive SUPERID passwords for executing commands
  • Generate extensive reports of user activities
  • Get real-time notifications with Alert-Plus, and forward logs to SIEM for analysis

Key Features:

  • Monitor and audit user sessions down to keystroke level
  • Role-based user access
  • Time restrictions by command and program
  • User Authentication SEEP to prevent users from logging on outside CSP PassPort
  • Powerful Custom Reporting
  • Control client connections by IP address or IP address ranges
  • Multi-factor authentication support (coming soon!)

Learn more about CSP PassPort here.

 

CSP – Compliance at your Fingertips ®

 

For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com

We Built the Wiki for NonStop Security ®

The CSP Team      

+1(905) 568 –8900