An introduction to PCI DSS
PCI DSS 4.0: Motives, Content, and Timeline Explained
Few people think twice about leaving their payment details when purchasing something online. Data theft and fraud were once a great source of worry for internet shoppers, but what changed? For that, we can thank the Payment Card Industry Data Security Standard, PCI DSS for short. The PCI DSS is a set of security standards that ensures high-level security for credit card processing over the internet. PCI DSS was introduced in 2006 by the 5 most prominent credit card issuers; Visa, Mastercard, American Express, Discover, and JCB. These 5 credit card companies previously had their own programs but decided to join forces and create the Payment Card Industry Security Standards Council (PCI DSS) which oversees the global standards.
Compliance with PCI DSS creates a more secure system environment for processing, storing, and transmitting credit card information. The regulations aim to reduce credit card theft and fraud, therefore helping build trust between consumers and organizations. Even though credit card fraud rarely makes the headlines, it is probably a much bigger issue than you might expect. In 2020, credit card issuers, merchants, and consumers lost a combined amount of $28,58 billion (Nilson report). 2021 saw the highest number of data breaches, with 1,862 data breaches, a 68% increase from the previous year (Money Transfer). If that wasn’t bad enough, statistics also show that less than 1% of frauds are resolved by law enforcement (Money Transfer).
PCI DSS levels and requirementsPCI DSS is divided into 4 levels that determine the ways in which an organization is required to provide compliance proof and to report it. The lower level, Level 4, is for companies that process under 20,000 transactions yearly. This level is for smaller companies, such as small e-commerce websites or individuals selling homemade goods. At this level, organizations are required to fill out a self-assessment questionnaire yearly. The highest level, Level 1, includes companies that process over 6 million transactions a year. This includes all the more prominent organizations that trade globally, such as Amazon, Etsy, and Ebay. Level one companies are accredited by a PCI auditor and undergo an annual internal audit. Organizations are subjected to a quarterly PCI scan by an Approved Scanning Vendor at this level. PCI-DSS is comprised of 12 requirements, divided into six areas:
- Secure network (2 requirements)
- Secure cardholder data (2 requirements)
- Vulnerability management (2 requirements)
- Access control (3 requirements)
- Network monitoring and testing (2 requirements)
- Information security (1 requirement)
PCI DSS 4.0
Despite the efforts deployed by the PCI SSC, credit card fraud remains far too common. In the first two quarters of 2022 alone, 230,937 credit card fraud reports were reported (Money Transfer). The alarming prevalence of card fraud and feedback from the payment industry triggered a change in regulations, the PCI DSS 4.0. The updated regulations were made public in 2022, but organizations will have until March 2025 to fully comply. From March 2024 to March 2025, there will be a transition period by the end of which organizations will have to be compliant with all the new PCI DSS 4.0 regulations. This year-long transition period is necessary for companies to adapt to the new regulations representing a significant change. The entirety of the new regulations, including specific items and general guidance, can be found in a 360 pages document. The modifications cover a wide array of topics, including access control, intrusion detection, anti-virus software, network segmentation, and firewalls. Organizations that store or process credit card data must adapt to 53 new regulations for merchants and companies that store or process credit card data, plus another 11 that apply only to transaction processing service providers. Some changes include:
For the first time in PCI DSS history, PCI DSS 4.0 allows customization of some of the security items. It is aimed at big, tech-savvy companies that can understand and master their cyber security department. Customization will likely cost more time and money and require more complex validation from the PCI SSC. It will empower organizations to use alternative methods and innovative technologies that meet the security levels set by the PCI DSS.
In the same vein, the wording of specific terms has been updated to include a broader range of technologies with the same outcome. For instance, "anti-virus" has been changed to "anti-malware", and "firewalls" and "routers" have been replaced by "network security controls". These modifications aim to allow more freedom for organizations to use new technologies to achieve the same security goals.
PCI DSS 4.0 features updated regulations to prevent phishing from a technological and personnel level. First, complying entities will be required to set up automated email security software to identify and block phishing emails. Secondly, security and awareness training is shifted from a recommendation to a requirement. The training is required to include specific security topics mentioned in PCI-DSS 4.0. The security training program must be reviewed and updated yearly to comply with the new regulations.