PCI DSS stands for “Payment Card Industry Data Security Standard” and was developed to ensure the protection of credit card data and the security of transactions. The aim is that all companies involved that process, store or transmit credit card transactions take appropriate security measures to protect sensitive data. [1]
The PCI DSS standard consists of mandatory technical and organisational requirements, including network security, data protection, vulnerability management and access monitoring and logging. It affects retailers, e-commerce websites, payment service providers, banks, hotels, restaurants, and other organisations that accept credit card payments. Both large companies and small merchants must comply with PCI DSS, regardless of the number of transactions they process. Compliance with the PCI standard is monitored through regular security audits and reviews.
What changes with PCI DSS version 4.0?
The updated version 4.0 was published in March 2023. The transition period to this new version ends in April 2024, after which the current version 3.2.1 is no longer valid. By April 2025 at the latest, all companies must be fully compliant with version 4. [2]
In the updated version 4, IT security is no longer regarded as a rather static institution but is required as a constant flexible process. Depending on the company, this can have a significant impact if resource-intensive processes, documentation, and protocols must take place on a more regular and traceable basis. [3] The required active, individual security strategy is also to be supplemented with specially adapted risk assessments and countermeasures.
Required security measures for PCI DSS 4.0
Apart from the essential strategic reorientation of the security topic, version 4 also contains extensions of individual measures. [4] Some of these are hopefully already largely addressed and implemented in many companies:
- Detection and protection against phishing attacks
- Regular review of all user accounts and access permissions
- Two-factor authentication and updated password requirements
- Automated review of security-related logs and log data
- Active vulnerability management (scanning for vulnerable services)
- Better monitoring of communications for malware and attacker anomalies via NGN firewall and IPS technologies
The enhanced PCI DSS standard is designed to better secure credit card data and transactions to ensure the safety of credit card data, protect end users from identity theft and fraud, and minimise potential liability risks in the event of data breaches.
The update of the standard requires companies to deal with IT security more comprehensively than before and will therefore be accompanied by increased efforts. In case of non-compliance, companies will face penalties, fines, loss of payment processing services and customer trust.
.
This could also interest you:
Get your IT security strategy fit for the future!
4 tips to boost cyber security awareness in the company
Sources:
[1] https://www.onlinesicherheit.gv.at/Themen/Experteninformation/Normen-und-Standards/PCI-DSS.html
[2] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/General%20Guidance/PCI-DSS-v4-0-At-a-Glance-r1-DE.pdf?lang=de
[3] https://listings.pcisecuritystandards.org/documents/PCI-DSS-v3-2-1-to-v4-0-Summary-of-Changes-r1.pdf
[4] https://www.csoonline.com/article/3678989/pci-dss-4-0-is-coming-how-to-prepare-for-the-looming-changes-to-credit-card-payment-rules.html