Why Organizations Should Prepare Now for Full Compliance with PCI DSS 4.0

Why Organizations Should Prepare Now

for Full Compliance with PCI DSS 4.0

Why Organizations Should Prepare Now for Full Compliance with PCI DSS 4.0

Bank of America introduced the world’s first general-purpose credit card, the BankAmericard, in 1958 and promptly lost an estimated $20 million to credit card fraud over the next 15 months. Efforts to eliminate credit card fraud have been only marginally successful since then.

The unfortunate reality is that credit cards and fraud go hand-in-hand. According to data from the Federal Reserve, more than 80 percent of American adults have at least one credit card, with most owning three or more. At the same time, payment card fraud is now a multibillion-dollar criminal enterprise. According to the most recent Nilson Report, credit card issuers, merchants and acquirers lost more than $32 billion to fraud in 2021.

In 2004, major credit card companies launched the Payment Card Industry Data Security Standard (PCI DSS), requiring all businesses that accept card payments to meet minimum levels of security. However, annual studies reveal low levels of compliance with the standard. Just 43.4 percent of organizations were fully compliant with PCI DSS in 2021, according to the 2022 Verizon Payment Security Report.

No Quick Fixes

With the newest version of the standard, the PCI Security Standards Council hopes to boost compliance by providing alternative implementation options. PCI DSS 4.0, released on March 31, 2022, allows covered entities to design and implement customized security controls instead of requiring rigid conformity with traditional requirements.

Previous versions of the standard had very specific requirements for designing and implementing hundreds of different security controls. However, as the threat environment changed, organizations often complained that the provisions were too burdensome and didn’t address evolving threats.

As a result, many organizations have either ignored requirements or turned compliance into a box-ticking exercise. Annual compliance figures reflect the changing attitudes. Verizon’s 2020 State of Compliance survey found that nearly three-quarters of organizations focus almost exclusively on quick fixes that help them pass PCI DSS compliance audits instead of maintaining truly effective and sustainable control environments.

Customizable Approach

Version 4.0 maintains those defined requirements, but now also allows an option for more customization. Organizations can use security controls that differ from traditional PCI DSS requirements as long as they can demonstrate that the custom controls are effective and match the intent of the PCI DSS requirement. The customized approach gives organizations the flexibility to account for emerging technology changes not specifically addressed by PCI DSS.

The updated standard does provide more definitive guidance for addressing phishing, social engineering and other threats, and requires organizations to strengthen some traditional security controls. For example, it requires more complex passwords for accounts used by applications and systems. Multifactor authentication is now required for all accounts with access to the cardholder data, not just for administrators as in previous versions.

Be Prepared

PCI DSS 4.0 also requires “continuous compliance” — a “business as usual” approach to maintaining compliance with the standard. This requires the ongoing measurement and reporting of the security and resilience of critical components within the control environment. The objective is to help organizations shift their compliance emphasis from checking things off a list as part of a one-time process and moving toward outcome-focused strategies.

Full compliance with PCI DSS 4.0 won’t be mandated until March 31, 2025, allowing for a three-year transition period. Organizations can use this time to develop a strategy for custom security controls but must maintain compliance with the previous version of the standard in the interim.

DeSeMa’s team includes experienced auditors, design and engineering experts, and security specialists who can help you develop a comprehensive plan for securing your payment systems. In our next post, we’ll discuss how we can help you prepare for a PCI DSS audit and bolster your defenses if you were recently audited and failed.