The PCI Standards Security Council is currently developing version 4.0 of its Data Security Standards (DSS) [2], known as PCI DSS v4.0. These standards aim to ensure the safety and security of payment information [4], protecting credit card transaction data from fraud [5]. The goal of PCI DSS v4.0 is to combat the increasing cybercrime activity, particularly in the finance and payments industry [2].
Description
The development of PCI DSS v4.0 incorporates feedback from stakeholders and focuses on areas such as authentication, encryption [1] [3] [7], monitoring requirements [1] [7], and testing of critical controls [1]. While the 12 core requirements of PCI DSS are expected to remain unchanged [1], the standard will evolve to accommodate changes in technology [1], risk mitigation techniques [1], and the threat landscape [1]. The emphasis is on meeting security needs, adding flexibility [1], promoting security as a continuous process [1] [3], and enhancing validation methods and procedures [1].
To address the threats posed by scripts in online shopping and payments [6], PCI DSS v4 introduces two major controls [6]. Control 6.4.3 requires businesses to track authorized scripts [6], validate their integrity [6], and justify each script that loads in the user’s browser [6], including third and fourth-party scripts [6]. Control 11.6.1 requires businesses to have measures in place to detect unauthorized changes to HTTP headers and payment page contents [6], checking them at least every seven days [6]. These controls will be in scope for assessments starting March 31, 2025 [6].
The rollout of PCI DSS v4.0 is discussed in a podcast episode featuring hosts from Retail & Hospitality ISAC and guests from PCI SSC and Target [3]. The new version of PCI DSS aims to address threats such as POS malware and skimming activity [3]. Target has developed open-source tools called Easy Sweep and Merry Maker to help retailers check for skimmers and protect against digital skimming [3]. PCI DSS v4.0 focuses on evolving to align with the changing payments industry and includes stronger encryption [3], complex authentication [3], and anti-phishing support [3]. Retailers new to PCI DSS v4.0 are advised to read the standard [3], which provides guidance and examples [3]. The new version introduces concepts like the Customized Approach and targeted risk analysis [3]. It is important for retailers to maintain their existing controls and perform security as a continuous process throughout the year [3].
Conclusion
Organizations and vendors accepting card payments are actively working towards meeting the compliance deadline for v4.0 [2], which is set for March 2025. The release timeframe for PCI DSS v4.0 will depend on the feedback received during the development period [1]. The new version of PCI DSS will have significant impacts on the finance and payments industry, providing stronger security measures to combat cybercrime. It is crucial for businesses to adapt to the evolving threats and ensure they have the necessary controls in place to protect payment information. By following the guidelines and recommendations outlined in PCI DSS v4.0, organizations can enhance their data security and mitigate the risks associated with fraudulent activities.
References
[1] https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0
[2] https://www.darkreading.com/vulnerabilities-threats/making-sense-of-todays-payment-cybersecurity-landscape
[3] https://almosthomebiz.com/2023/10/01/rh-isac-and-pci-ssc-present-tips-for-transitioning-to-pci-dss-v4-0-a-conversation-with-target-3167/
[4] https://www.egis-security.com/pages/pci.php
[5] https://www.reverbtimemag.com/blogs_on/everything-you-need-to-know-about-pci-compliance-services
[6] https://sra.io/blog/unleashing-the-potential-of-pci-dss-v4-strengthening-your-online-payment-security/
[7] https://www.mageplaza.com/blog/what-is-pci-compliance.html
