The PCI-DSS 4.0, New Financial Standards for Businesses

August 18, 2022 | 4 minutes read
The PCI-DSS 4.0, New Financial Standards for Businesses

While the Payment Card Industry Security Standards Council (PCI-SSC) initially created the PCI Data Security Standard (PCI-DSS) in 2006, these standards have been amended several times since then. This being said, the PCI-SSC recently published version 4.0 of the PCI-DSS on March 31, 2022, with the goal of providing consumers with an even more secure environment when using their credit, debit, and credit cards to make payments, be they online or via the phone. To this end, these updated standards provide consumers and merchants alike with new guidelines concerning the updated scope and applicability of the PCI-DSS.

What is the scope and applicability of the PCI-DSS 4.0?

As stated by the PCI-SCC, the PCI-DSS 4.0  applies “to entities with environments where account data is stored, processed, or transmitted, even where an entity does not store, process, or transmit account data, some requirements can apply when the entity’s systems “can impact the security of the [account data]”. On the other hand, the scope of the law covers “system components that may not store, process, or transmit [Cardholder Data] CHD/ [Sensitive Authentication Data] SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.” To this last point, one of the most significant changes that were ushered in via the PCI-DSS 4.0 are the ways in which the standard now defines personal data in the context of credit, debt, and prepaid card transactions.

Cardholder data vs. account data

One of the primary changes that were made to the PCI-DSS in the latest update are the ways in which the new standard defines personal information in a more expansive manner. More specifically, previous iterations of the PCI-DSS categorized the personal data of consumers as cardholder data, while more sensitive data, such as card verification values (CVVs) were instead classified as sensitive authentication data (SAD). Likewise, businesses and companies were permitted to apply different levels of protection to cardholder data and SAD. However, the PCI-DSS 4.0 combined cardholder data and SAD into a combined category referred to as account data, meaning that many organizations will have to alter the manner in which they store certain forms of data, lest they risk violating compliance within the PCI-DSS.

PAN data

In keeping with the ways in which businesses must now protect the account data of consumers under the PCI-DSS 4.0, one of the landmark features of PCI-DSS controls in general are the ways in which the standards require organizations to protect primary account number (PAN) data. Subsequently, businesses have an obligation to safeguard PAN data via five primary methods, which include masking, hashing, truncation, encryption, and tokenization. In turn, while these techniques can still be used to protect PAN data, the PCI-DSS 4.0 does make some alterations to the ways in which companies are allowed to utilize these methods. For example, the new standards state that simple hashing functions will no longer be permitted, as “keyed cryptographic hashing algorithms such as HMAC, CMAC or GMAC must be used” instead.

Stronger authentication requirements

Another major change that was implemented in accordance with the PCI-DSS 4.0 was that the authentication requirements that businesses must comply with when processing account data were enhanced. Most notably, businesses, as well as any third-party organizations that may process financial information on behalf of such businesses, must now use multifaceted authentication (MFA) for any accounts that have access to the account data of customers, whereas previous iterations of the PCI-DSS limited this requirement to administrators that had access to the overall cardholder data environment. Conversely, the PCI-DSS 4.0 also mandates that all accounts that are used within applications or systems have their passwords changed every 12 months, as well as if there is any suspicious activity that could result in these accounts being compromised.

While the multitude of changes that were introduced in the PCI-DSS 4.0 in March of 2022 are too broad to cover within a single article, the general theme behind all of these changes remains the same, ensuring that consumers around the world can use their credit, debit, and prepaid cards to engage in financial transactions in the safest and most secure way possible. For this reason, periodic updates to the PCI-DSS are very much needed, particularly due to the expedient manner in which changes within the digital landscape can be made. As such, while the PCI-DSS 4.0 is the latest iteration of these financial standards, additional changes will certainly be made in years to come.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Join The CaseGuard Team at IAI’s International Forensic Educational Conference
August 02, 2023 | 3 minutes read
Join The CaseGuard Team at IAI’s International Forensic Educational Conference

Meet our team at the Annual IAI International Forensic Educational Conference in Maryland this August from August 21st to 23rd.

Learn More »
Embarrassing Redaction Failures & How To Prevent Them
July 24, 2023 | 4 minutes read
Embarrassing Redaction Failures & How To Prevent Them

From exposing trade secrets to endangering operations by the National Security Agency, redacting documents incorrectly can lead to a lot of headaches.

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
Data Breaches: What’s The Big Deal & How To Prevent Them
July 03, 2023 | 5 minutes read
Data Breaches: What’s The Big Deal & How To Prevent Them

Not all data breaches are cyber attacks, and not all cyber attacks are data breaches; however, the terms are sometimes used interchangeably. A data breach involves unauthorized access to, and potential distribution of, sensitive data to an untrusted third party.

Learn More »