Payment Card Industry Security Standards Council (PCI SSC), a global payment security forum, has published version 4.0 on 31 March 2022, The PCI DSS v4.0 supersedes version 3.2.1. This new release is the first revision to the Data Security Standard (DSS) in almost four years. It represents a major update to the standard as the payments industry encounters while being used in the environment in an ever-evolving threat landscape.
What is PCI DSS and its Compliance:
The Payment Card Industry Data Security Standard is a set of requirements intended to ensure that all companies that process, store, or transmit credit card (or any Payment Card) information maintain a secure environment. It also includes a holistic Information Security Standard for organizations that handle branded credit cards (or any Payment Card) from the major card schemes. From a Customer Perspective, the new Standard and its Implementation, promises more Security and Assurance while owning a Payment Card and while using the same in the environment. It was launched on 07 September 2006, to manage PCI security standards and improve account security throughout the transaction process. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
PCI DSS in India:
India is one of the fastest-growing fintech markets in the world, as on year 2020 valued at Rupees 45 Hundred Crore, it is estimated to reach Rupees 77 Lakh Crores by 2025. Along with the UPI came The India Stack, a set of open-source APIs provided by the Unique Identification Authority of India (UIDAI) to pave the way for further innovation in this space. Many of these Fintech services cater for the Payment Card Industry or clients as well. Indian Industry will also have to adopt the PCI DSS 4.0, as it is ever threatened by security breaches time and again.
“With India being a highly targeted country by cyber hackers, securing payment data with data security standards in an evolving payment ecosystem is critical to build robust payments infrastructure keeping security at the centre of everything,” says Nitin Bhatnagar, Associate Regional Director – India, PCI Security Standards Council. “PCI DSS v4.0 is a unique example of how the Council is evolving security standards and validation programs to support a range of environments, technologies, and methodologies for achieving security. PCI DSS has always been technology-neutral and requirements are intended to apply to all types of environments.”
Changes to the standard:
The updates in PCI DSS 4.0 address emerging threats and technologies while continuing to meet the security needs of the payments industry, and it has not deviated from the 12 core PCI DSS requirements. However, the requirements have been redesigned to focus on security objectives to guide how security controls should be implemented. This revised standard also adds flexibility to support innovation and allows organisations to adopt their own methodologies for meeting compliance objectives.
Other revisions and its inherent goals in version 4.0 include:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security. Also Adding more guidance in the document introduction and to individual requirements
- Structural changes to the standard itself, including removing some redundant testing procedures, renumbering requirements, and combining requirements that support the same intent while separating requirements that support different intents
- Clarifying ambiguous requirements and testing procedures identified by the payment information security community, also promoting the need of Security and the requirement of it being a continuous process.
- Enhance validation methods and procedures.
- Adding a Stronger Authentication Requirements: Identity and access management (IAM) plays a crucial role in safeguarding cardholder data, and the new version of the standard emphasises on the same.
The Other Authentication Security include:
PCI DSS 4.0 aligns with the NIST guidance on digital identities for authentication and life cycle management. As the payments industry has gradually moved to the cloud, stronger authentication standards to payment and control access logins are necessary. PCI DSS 4.0 considers:
- Multifactor authentication (MFA) usage for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment.
- Passwords for accounts used by applications and systems must be changed at least every 12 months and upon suspicion of compromise.
- Use of strong passwords for accounts used by applications and systems, which must contain at least 15 characters, including numeric and alphabetic characters. PCI DSS requires that the prospective passwords be compared against the list of known bad passwords.
- Access privileges must be reviewed at least once every six months.
- Vendor or third-party accounts may be enabled only as needed and monitored when in use.
The implementation Timeline:
The PCI DSS 4.0 standard is built with a zero-trust mindset, permitting organizations to build their own unique, pluggable authentication solutions to meet the data security regulatory requirements. “PCI DSS v3.2.1 will remain active for two years after v4.0 is published,” says PCI SSC. It is upto the Banks and the Non-Banking Financial Institutions NBFC (other Banking Industry) to adopt innovative and enhanced security measures to ensure their own security. When it comes to transitioning to the new version, this transition period, ending March 31, 2024, gives organizations time to familiarize themselves with the changes, update their reporting templates and forms, and plan for and implement changes to meet updated requirements. The implementer is at liberty to decide on the timeframe for early retirement and adoption of the new standards, as long as the same is compliant to standards.