2022 comes to an end, a year full of novelties in the field of PCI standards, as seen in the last edition of the PCI European Community Meeting in Milanannual meeting point for the main companies in the sector.
This has been an important year, PA-DSS has been withdrawn and definitively replaced by the Software Security Framework (regulation in charge of data security in payment applications), standards as important as PCI PTS -focused on the security of physical devices- and the MPoC has recently been published that regulates payments through mobile devices. But undoubtedly the biggest impact is the publication of the new PCI DSS.
Last March, the PCIDSS 4.0, its most important standard, the one that serves as the backbone and backbone of the rest of the 16 standards that make up the Council’s security ecosystem. The importance and care that has been put into this new version is observed taking into account the almost 8 years that have been necessary since the previous version (3.0) was published and more than 4 since the last “minor” revision (3.2. 1) to finish shaping it.
This is an update loaded with new features, given that the security requirement has increased exponentially in recent times due to the use of digital payments. The Council, aware of the change produced in the payment channels and the appearance of new threats, has redoubled its efforts and focused on ensuring the most important aspects of guaranteeing the security of payments.
This translates into more than 50 new security requirementsof which more than a dozen are mandatory from the outset, mainly highlighting:
- Use of stronger and more secure passwords.
- Reinforcement of multi-factor authentication to prevent credential theft and unauthorized access.
- Implementation of anti-phishing and anti-ransomware measures.
- Increased security in the development and maintenance of web pages.
Additionally, the proliferation of intermediate service providers, which the new post-pandemic business models or regulations such as the GDPR or PSD2 have brought with them, make essential measures to help prevent and avoid incidents. For this, attention is paid to the security of these third parties whose risk, in the event of a security breach, is greater since they accumulate that of all their clients. Up to 11 new security requirements have been defined exclusively for them, in addition to greater detail and demands in their self-assessment questionnaire.
Finally, one of the innovations that has attracted the most attention in this new edition of PCI 4.0 is the way in which security requirements can be met. And the fact is that the Council, aware of the demands placed on businesses and suppliers in this new version of the regulations and the speed at which the world of payments evolves, has decided make pathways to address compliance more flexible. Until now, a series of established steps had to be followed to validate a security requirement. Now, if you want, it can be done through your own solution (personalized approach), allowing the path to achieve this goal not to be marked by fire.
To facilitate this profound change, a transition period has been established in which both 3.21. as 4.0 are valid for compliance, the current version being valid until the end of March 2024. However, this could turn into poison candy if we decide to take this period for a break.
The extra 15 months are needed to implement all the new security requirements on time.. Although many of them are only mandatory at the beginning of 2025 (and this seems like a very distant date), the truth is that they are very demanding and therefore require a period of implementation and dedication. On the other hand, it would be a mistake to delay the implementation of measures that already remedy current dangers and threats.
In summary, the important PCI update should be seen as an opportunity to face and solve existing threats, as well as the opportunity to position itself ahead of less proactive competitors. For this, it is advisable to look for a technological partner such as Necomplus that have PCI experts to accompany organizations on the long journey towards regulatory compliance.