Get ready for more stringent PCI DSS compliance requirements. The PCI Security Standards Council (PCI SSC) updated its version 4.0 requirements in March 2022, in large part to address increasingly sophisticated cybercriminal threats. Rapidly growing contactless and cloud-based card usage also helped nudge an update to PCI DSS requirements, which were last updated in 2018 as version 3.2.1. The new requirements will be mandatory starting March 2024 for any organization that processes or stores cardholder data. The time to start preparing is now.
Meeting all that goes into stricter compliance around PCI DSS could take some time and could impact your budget if your organization is not already in scope. Reviewing your cybersecurity stance now to satisfy the requirements around the corner makes good cybersecurity sense. It can also help protect you from a hit to your reputation from a data breach, as well as help you avoid fines for noncompliance.
Related Reading: PCI Statistics That May Shock You
What is PCI DSS?
PCI DSS compliance requirements are designed to help meet the payment industry’s needs for security, even as those needs change and evolve. It serves as a global standard and provides baseline technical and operational requirements to help organizations protect payment account data.
Complying with the payment card industry’s requirements is more than following a rigid checklist. Organizations that approach PCI compliance as a vital part of their cybersecurity posture weave PCI requirements into their daily structure and adjust security measures as new threats emerge, and new solutions are offered to protect valuable data.
Related Reading: How to Create a Cybersecurity Policy for Your Organization
Related Reading: How to Secure Your Data Exchanges
What Are the New PCI 4.0 Requirements?
The new standards can be found on the PCI SSC website. In general, the updates zero in on how to meet ever-evolving security needs found within the payment industry. It provides for addressing security as a continual process and increases flexibility in the methods organizations can use to achieve their security objectives and enhance their validation methods and procedures.
According to the PCI Council, here are a few key changes to the new version:
- Updates the firewall terminology to reference network security controls. This change supports a broader range of technology designed to meet security objectives traditionally met by firewalls.
- Expands Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Provides for more flexibility in how organizations demonstrate how they use different methods to achieve security objectives.
- Adds targeted risk analyses to allow organizations flexibility in how they define how frequently they perform certain activities, as best suited for their unique business needs and risk exposure.
Meeting PCI 4.0 by March 2024 is, for most organizations, a phased process, with specific timelines provided to help best meet the new requirements. As it may take some time to ensure full compliance with the new standards, the current version will be active until it is retired March 31, 2024.
The 12 Controls of PCI DSS 4.0
There are still 12 controls outlined by the PCI Council, but the language has changed a bit around them. The changes are subtle but important:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security within organizational policies and programs
Investing time today to review the timeline can help ensure your resources are aligned and can save you the stress of worrying about non-compliance later. For example, Requirement 3 will be expanded with the new change. This now will include the protection of account data, not just cardholder data. You’ll want to ensure the scope of your existing compliance operations can meet this broader protection requirement. In addition to requirements due by March 2024, the Council includes a few future-dated requirements that need to be ready by March 2025.
Related Reading: Avoid a PCI Breach; Avoid Costly Consequences
How Can Managed File Transfer Help Meet PCI 4.0 Compliance?
Meeting all the requirements for compliance with PCI DSS is easier if you have technical solutions that are centralized, automated and auditable, such as secure file transfer. GoAnywhere MFT (Managed File Transfer) can help meet PCI compliance as it offers:
• Centralized control and management of file transfers
• Role-based administration and permissions
• Secure connections for the transmission of sensitive data
• Encryption of data at rest and in motion
• Strong encryption key management with separation of duties
• Keeping PCI-related data out of the DMZ
• Closed inbound ports into the private network to prevent intrusion
• Detailed audit logs for reporting
As PCI DSS compliance continues to evolve, robust technical solutions, like GoAnywhere MFT, can make it easier to meet the security requirements without taxing your employees unnecessarily. Technical requirements with version 4.0 are very similar to the existing version, but the focus has shifted to operational compliance and security. And entities are expected to document the processes and procedures they have in place.
On-Demand Webinar: Get the Most Out of GoAnywhere: PCI DSS Security Settings Report
See How GoAnywhere Can Help You Meet PCI DSS Compliance Requirements
We offer 15-, 30-, and 60-minute demonstrations of GoAnywhere to help you see how secure file transfer can help you meet the upcoming PCI DSS 4.0 compliance requirements. Schedule your demonstration today to get ahead of the rush to meet the broader scope of PCI DSS compliance.
