Customization, multi-factor authentication are key features in PCI DSS v4.0 global payment benchmark. Credit: Rawpixel / Getty Images Standards are often force-fed to the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s global Data Security Standard (PCI DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says PCI SSC executive director Lance Johnson. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”“We used to think that PCI DSS was a standard enforced onto us one-way, and it was something we could only accept passively,” adds Edward Mao, a senior manager in the Information Security and Privacy Governance Department at the Rakuten Group, an electronic commerce and online retailing company. “However, it is now something we do with key industry experts actively, creating a standard we believe in.” Organizations will have two years to digest PCI DSS 4Organizations will have two years to digest the new standard and make any changes from the current standard, PCI DSS 3.21, which will be retired on March 31, 2024. Key elements in the new standard include: Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewallsExpansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environmentIncreased flexibility for organizations to demonstrate how they are using different methods to achieve security objectivesAddition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposurePCI DSS v4.0 built for a zero trust mindset“One of the problems with crafting regulations or pseudo-regulations, like PCI-DSS, is that technology changes and what was once a meaningful security control ceased to be one,” says John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations company. “Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis, so the regulations needed to be changed.”Alex Ondrick, director of security operations at BreachQuest, an incident response company, maintained that PCI DSS v4.0 is built for a zero trust mindset. “It allows organizations increased flexibility to build and tailor authentication solutions to fit their requirements,” he says. “Arguably, the most important addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts that have access to cardholder data. Although this is technically a best practice until March 31, 2024, it is a significant step toward securing systems and accounts which are accessing cardholder data.” Customized approach requires a mature appraisal of riskWhile organizations may be looking forward to the additional breathing room given to them by the customization and flexibility provisions in the new standard, Dan Stocker, director of Coalfire, a provider of cybersecurity advisory services, offers a note of caution. “Organizations will want to carefully consider their risk management options under DSS 4.0, especially where they are on the technology leading edge. The customized approach will give them great power but require a mature appraisal of the risk in deviating from the defined approach,” he says. “Likewise, where requirements allow flexible implementation, a targeted risk analysis will be required.”“These processes are brand new in PCI, and are worth a look,” Stocker adds, “even if they may not be right for every organization.” Related content news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security feature Cyber resilience: A business imperative CISOs must get right With ransomware at an all-time high, companies need to understand that being cyber resilient means going beyond compliance to considering all aspects of a business, from operational continuity to software supply chain security. By Andrada Fiscutean May 16, 2024 12 mins Regulation Incident Response Supply Chain news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security news Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum Application security posture management tools need to integrate with other security tools to do their job. By Evan Schuman May 16, 2024 4 mins Application Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe