The clock is ticking. When the calendar page turns over to April 1, 2024, your organization must be in compliance with the newest version of the Payment Card Industry Data Security Standard (PCI DSS) 4.0. Start now so that you will be fully knowledgeable and prepared next spring.

1. Compliance is mandatory.

The financial industry continues to set forth these DSS regulations in order to protect the sensitive payment data of their cardholders. For you as a seller, complying is a must. If you fail to do so, card companies can fine your business every month until you meet these 51 new mandatory requirements. What’s more, you will receive higher penalties should a data breach occur when you are out of compliance.

2. PCI DSS has several notable changes.

Although you should still read the full summary of changes document for PCI DSS 4.0, modifications include the following.

• Roles and responsibilities for PCI DSS requirements are defined.
• Scope is documented.
• Network changes should follow the same change control as everything else in scope.
• Files used to create the infrastructure of your network must be secured.
• Enhanced description of requirements that are shared between your organization and any third-party service providers.

In general, the new standard seeks to further protect cardholder data by helping companies take a more holistic view of access controls and security measures. Areas to be modified include authentication and passwords, advanced system monitoring requirements, and enhanced guidance on multi-factor authentication.

3. There are new areas requiring your full attention.

PCI DSS 4.0 came into being because our world is morphing at a breakneck pace. These new rules are designed to reflect changes in how criminals attack systems as well as to take into account our evolving payments and technology landscape. The following elements will require most of your focus.

• Install and maintain a firewall to encrypt incoming and outgoing network traffic. Configure routers and firewalls to protect cardholder data, and set rules determining which types of traffic are allowed and which are not.
• Change all vendor default settings on servers, network devices, and applications. Upgrade your settings when obtaining new devices and hardware, and maintain documentation of your security procedures.
• Protect your stored data. Tokenization and PCI compliance go hand in hand and help to make secure payment processing possible. You must demonstrate that you know where data is being stored, where it is going, and how long you will possess it. All data must be encrypted with industry-approved security keys and algorithms. To follow this requirement, you must also follow rules for how card numbers are displayed.
• Encrypt payment data during transmission. This requirement refers to data in motion via open, closed, public, and private networks. You need to know where information is coming from and going to and encrypt cardholder data before you transmit it. Implementing an extra anti-fraud layer with 3-D Secure is also highly recommended.
• Keep antivirus software updated. Take steps to keep antivirus software current throughout your security chain, including servers, workstations, laptops, and mobile devices. It should always be running, using the latest signatures and creating logs.
• Use secure systems and applications. This requires a thorough risk assessment and mitigation of any identified gaps or vulnerabilities before you can launch hardware and software designed to process payments. Throughout, remember to install patches as soon as they come out on all databases, POS terminals, and operating systems.
• Implement data restrictions as necessary. Demonstrate that individuals can access sensitive cardholder data only on a need-to-know, business-critical basis. Additionally, you must meet PCI DSS 4.0 physical security requirements. All access policies should be documented, including lists of users and their access levels, job function, seniority, and reasons for needing access. This information should be updated regularly.
• Assign user access identification. Each person should have their own username and complex password to foil internal and external hackers. Additionally, you should require two-factor authentication.
• Restrict physical access to servers, workstations, or paper files where user data is stored. The new requirements also mandate electronic monitoring of the entrances and exits of physical locations where data is kept. Recordings and logs should be kept for at least 90 days. All portable media containing data must be secured and destroyed as soon as it is no longer needed.
• Protect and monitor systems at all times, maintaining ongoing logs that are sent to a secure server daily. Security Information and Event Monitoring (SIEM) software is particularly helpful in accomplishing this task. Logs of both suspicious and system activity must be kept, time-synchronized and maintained, for at least one year.
• Implement continuous system and process testing to detect vulnerabilities. You will also need to conduct wireless analyzer scanning every quarter to detect unauthorized access points. A PCI-approved vendor must scan any external IPs and domains. Penetration and application tests should be conducted annually.
• Create, implement, and maintain an information security policy company-wide. It should cover managers, employees, and third-party vendors and should be reviewed annually. Additionally, it should be given out to all affected internal and third-party users and signed by everyone. Additionally, user awareness and background checks are required as extra data access security measures.

Getting started with PCI DSS 4.0 compliance.

If you’re feeling overwhelmed, it can help to break down your compliance journey into manageable steps.

• Learn about the new standard by looking at the PCI SSC document library.
• Make two separate gap assessments, one for April 1, 2024, for basic changes and a second for April 1, 2025, for the modifications requiring more complex technological adjustments.
• Plan well in advance for 2025 changes, since they will most likely require financial investment in technology.
• Meet the 2024 requirements by filling in any gaps and making the necessary small changes. Meanwhile, keep your eye on the 2025 deadline.
• Do your first 4.0 assessment after April 1, 2024.
• Complete your second 4.0 assessment after April 1, 2025. This will involve fulfilling all requirements.

Throughout these processes, a qualified security assessor (QSA) can be an invaluable ally in helping you to identify and mitigate risks and gaps in preparation for a full PCI DSS 4.0 assessment.

Before you know it, April 1, 2024, will be upon us, with 2025 not far in the distance. Take the time to prepare your systems, processes and protocols now so that you and your staff can transition into this updated standard with relative ease.