The PCI-DSS 4.0, New Financial Standards for Businesses

The PCI-DSS 4.0, New Financial Standards for Businesses

While the Payment Card Industry Security Standards Council (PCI-SSC) initially created the PCI Data Security Standard (PCI-DSS) in 2006, these standards have been amended several times since then. This being said, the PCI-SSC recently published version 4.0 of the PCI-DSS on March 31, 2022, with the goal of providing consumers with an even more secure environment when using their credit, debit, and credit cards to make payments, be they online or via the phone. To this end, these updated standards provide consumers and merchants alike with new guidelines concerning the updated scope and applicability of the PCI-DSS.

What is the scope and applicability of the PCI-DSS 4.0?

As stated by the PCI-SCC, the PCI-DSS 4.0  applies “to entities with environments where account data is stored, processed, or transmitted, even where an entity does not store, process, or transmit account data, some requirements can apply when the entity’s systems “can impact the security of the [account data]”. On the other hand, the scope of the law covers “system components that may not store, process, or transmit [Cardholder Data] CHD/ [Sensitive Authentication Data] SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.” To this last point, one of the most significant changes that were ushered in via the PCI-DSS 4.0 are the ways in which the standard now defines personal data in the context of credit, debt, and prepaid card transactions.

Cardholder data vs. account data

One of the primary changes that were made to the PCI-DSS in the latest update are the ways in which the new standard defines personal information in a more expansive manner. More specifically, previous iterations of the PCI-DSS categorized the personal data of consumers as cardholder data, while more sensitive data, such as card verification values (CVVs) were instead classified as sensitive authentication data (SAD). Likewise, businesses and companies were permitted to apply different levels of protection to cardholder data and SAD. However, the PCI-DSS 4.0 combined cardholder data and SAD into a combined category referred to as account data, meaning that many organizations will have to alter the manner in which they store certain forms of data, lest they risk violating compliance within the PCI-DSS.

PAN data

In keeping with the ways in which businesses must now protect the account data of consumers under the PCI-DSS 4.0, one of the landmark features of PCI-DSS controls in general are the ways in which the standards require organizations to protect primary account number (PAN) data. Subsequently, businesses have an obligation to safeguard PAN data via five primary methods, which include masking, hashing, truncation, encryption, and tokenization. In turn, while these techniques can still be used to protect PAN data, the PCI-DSS 4.0 does make some alterations to the ways in which companies are allowed to utilize these methods. For example, the new standards state that simple hashing functions will no longer be permitted, as “keyed cryptographic hashing algorithms such as HMAC, CMAC or GMAC must be used” instead.

Stronger authentication requirements

Another major change that was implemented in accordance with the PCI-DSS 4.0 was that the authentication requirements that businesses must comply with when processing account data were enhanced. Most notably, businesses, as well as any third-party organizations that may process financial information on behalf of such businesses, must now use multifaceted authentication (MFA) for any accounts that have access to the account data of customers, whereas previous iterations of the PCI-DSS limited this requirement to administrators that had access to the overall cardholder data environment. Conversely, the PCI-DSS 4.0 also mandates that all accounts that are used within applications or systems have their passwords changed every 12 months, as well as if there is any suspicious activity that could result in these accounts being compromised.

While the multitude of changes that were introduced in the PCI-DSS 4.0 in March of 2022 are too broad to cover within a single article, the general theme behind all of these changes remains the same, ensuring that consumers around the world can use their credit, debit, and prepaid cards to engage in financial transactions in the safest and most secure way possible. For this reason, periodic updates to the PCI-DSS are very much needed, particularly due to the expedient manner in which changes within the digital landscape can be made. As such, while the PCI-DSS 4.0 is the latest iteration of these financial standards, additional changes will certainly be made in years to come.