What is PCI DSS?

What is PCI DSS? 
The Payment Card Industry Data Security Standard (PCI DSS) ensures that payment card fraud is kept to a minimum and that payment card data is secure. It focuses on the handling and security of payment card information & protecting cardholders against misuse of their personal data If you're accepting, storing, transmitting, or processing cardholder data, you must follow the PCI Security Standards Council rules. Non-compliance can lead to heavy fines, transaction restrictions and permanent expulsion from payment card acceptance programmes. 

What are the critical changes in version 4? 

Customised Implementation Approach

Organisations now have the freedom to choose how they implement technology for compliance. Custom implementation allows companies to create plans to meet the rules in a way that suits their needs, which is particularly beneficial for larger companies with robust in-house compliance strategies. 

 Increased Focus on Vulnerability Management

Version 4 mandates addressing all vulnerabilities, regardless of severity level, prioritising the most critical. This shift recognises that any vulnerability, when exploited, can potentially lead to a data breach impacting cardholder data. 

Malware and Phishing Controls

While not a new standard, PCI DSS version 4 requires scanning all removable media devices with malware detection software to mitigate the threat of cyberattacks. This includes USBs and external hard drives, emphasising the need to overcome isolation strategies like air gaps. 

Improved Cybersecurity Awareness Training

Version 4 specifies more defined requirements for staff training. Staff must undergo training at least every 12 months, with the material reviewed annually to reflect the latest threat landscape developments. Topics include social engineering and phishing attacks. 

More Secure User Authentication
 

PCI DSS 4.0 introduces a new access control requirement, mandating Multi-Factor Authentication (MFA) for securing access to Cardholder Data Environments (CDE). This helps minimise the risk of account data compromise, aligning with the regulation's expectations for social engineering training. 

Additionally, PCI DSS 4.0 introduces 60 new requirements, including: 

- Keeping an inventory of all cryptography. 

- Mitigating eCommerce skimming attacks. 

- Implementing automated access log reviews. 

It's crucial for businesses processing credit card data to familiarise themselves with these changes and ensure full compliance by the specified deadline to maintain a secure payment processing environment. 

How can 1-Fix Limited help? 
 

We have created a useful compliance checklist for you to use to determine any gaps your organisation may have. You can view and download the free checklist here.

You can also arrange a call with us to identify gaps and how we can assist you to become compliant. We offer a PCI DSS course through our approved training partner to cover all aspects of compliance and staff training.