Few people think twice about leaving their payment details when purchasing something online. Data theft and fraud were once a great source of worry for internet shoppers, but what changed? For that, we can thank the Payment Card Industry Data Security Standard, PCI DSS for short. The PCI DSS is a set of security standards that ensures high-level security for credit card processing over the internet. PCI DSS was introduced in 2006 by the 5 most prominent credit card issuers; Visa, Mastercard, American Express, Discover, and JCB. These 5 credit card companies previously had their own programs but decided to join forces and create the Payment Card Industry Security Standards Council (PCI DSS) which oversees the global standards.
Compliance with PCI DSS creates a more secure system environment for processing, storing, and transmitting credit card information. The regulations aim to reduce credit card theft and fraud, therefore helping build trust between consumers and organizations. Even though credit card fraud rarely makes the headlines, it is probably a much bigger issue than you might expect. In 2020, credit card issuers, merchants, and consumers lost a combined amount of $28,58 billion (Nilson report). 2021 saw the highest number of data breaches, with 1,862 data breaches, a 68% increase from the previous year (Money Transfer). If that wasn’t bad enough, statistics also show that less than 1% of frauds are resolved by law enforcement (Money Transfer).
Despite the efforts deployed by the PCI SSC, credit card fraud remains far too common. In the first two quarters of 2022 alone, 230,937 credit card fraud reports were reported (Money Transfer). The alarming prevalence of card fraud and feedback from the payment industry triggered a change in regulations, the PCI DSS 4.0. The updated regulations were made public in 2022, but organizations will have until March 2025 to fully comply. From March 2024 to March 2025, there will be a transition period by the end of which organizations will have to be compliant with all the new PCI DSS 4.0 regulations. This year-long transition period is necessary for companies to adapt to the new regulations representing a significant change. The entirety of the new regulations, including specific items and general guidance, can be found in a 360 pages document. The modifications cover a wide array of topics, including access control, intrusion detection, anti-virus software, network segmentation, and firewalls. Organizations that store or process credit card data must adapt to 53 new regulations for merchants and companies that store or process credit card data, plus another 11 that apply only to transaction processing service providers. Some changes include:
For the first time in PCI DSS history, PCI DSS 4.0 allows customization of some of the security items. It is aimed at big, tech-savvy companies that can understand and master their cyber security department. Customization will likely cost more time and money and require more complex validation from the PCI SSC. It will empower organizations to use alternative methods and innovative technologies that meet the security levels set by the PCI DSS.
In the same vein, the wording of specific terms has been updated to include a broader range of technologies with the same outcome. For instance, "anti-virus" has been changed to "anti-malware", and "firewalls" and "routers" have been replaced by "network security controls". These modifications aim to allow more freedom for organizations to use new technologies to achieve the same security goals.
PCI DSS 4.0 features updated regulations to prevent phishing from a technological and personnel level. First, complying entities will be required to set up automated email security software to identify and block phishing emails. Secondly, security and awareness training is shifted from a recommendation to a requirement. The training is required to include specific security topics mentioned in PCI-DSS 4.0. The security training program must be reviewed and updated yearly to comply with the new regulations.