The deadline for PCI DSS 4.0 has been and gone. But it’s never too late to advance compliance plans. It’s not just about avoiding potentially large fines and other penalties. Following the standard to the letter helps ensure organizations are adhering to industry best practices, devised by some of the smartest minds in data protection. That in itself will reduce the chances of compliant enterprises falling victim to a serious data breach.
With 51 new requirements in this latest iteration of the cardholder data security standard, there’s plenty for merchant, banks and other businesses to consider. To help make sense of it all, check out the latest comforte webinar, featuring insight from former PCI Security Standards Council (SSC) VP, Jeremy King, and Forrester Principal Analyst, Heidi Shey.
Challenges and requirements
Among the most important Control Objectives in PCI DSS 4.0 are protecting account data and implementing strong access control measures. With threat actors continuing to target misconfigured wireless networks, and even vulnerabilities in legacy encryption/authentication protocols, it’s essential that primary account numbers (PANs) are protected at rest and in transit. The standard notes that enterprises can either encrypt prior to transmission, encrypt the entire session, or both. There are also requirements around handling of key certificates.
For Forrester’s Shey, PCI DSS 4.0 could be a useful springboard to the kind of crypto agility that will be needed in the post-quantum era. Requirement 12 demands organizations monitor industry trends and emerging cryptographic vulnerabilities, inventory their algorithms and document their use.
However, part of the challenge associated with achieving these goals is not only the speed with which the technology and threat landscapes are evolving, but the resources available to compliance teams, and the complexity of their cardholder data environments (CDEs). The sheer number of on-premises and cloud servers, web applications, virtualized components, e-commerce solutions and storage systems from potentially different providers makes the discovery and mapping piece more difficult, but also more important than ever.
Where to start
According to PCI SSC’s King, recent innovation in payments is creating an extended supply chain of providers who may need to comply with PCI DSS 4.0. Any organization that stores, processes, or transmits cardholder data and/or sensitive authentication data will need to build a compliance program.
Among the tips shared by King and Shey are:
- Begin with data discovery and classification; understanding what information you have and where it flows
- Follow data minimization principles; delete any data that has served its purpose and is no longer required. It will only increase risk and cost if retained
- Apply controls to cardholder data to ensure it is protected in line with PCI DSS 4.0 requirements, wherever it resides and wherever it flows to
- Consider tokenization as a control, as it will allow the organization to continue using data for analytics and business enablement
- Perform data discovery, classification and control stages in parallel as the CDE is too dynamic and data volumes too great to do it in stages
- Follow good “crypto housekeeping” rules when it comes to data protection
- Enforce multi-factor authentication (MFA) and least privilege for access to CDEs, and perform annual privilege checks to ensure policy remains up to date
- Consider the PCI DSS Customized Approach, which offers flexibility to meet the standard’s requirements in different ways if your tech environment and circumstances demand it
For those looking for extra guidance, the PCI SSC has published a Prioritized Approach document to help organizations gain some quick wins. But be aware that compliance is no simple check-box process. It requires significant time and effort. Take a look at comforte’s new webinar to find out more.
comforte is offering your business a 30-day free trial of comforte Data Discovery and Classification, which features a new SaaS console manager. During the period, you’ll get a close-up look at how the product works in situ, and obtain a detailed understanding of where security and compliance risk exists across the organization. Most importantly, you’ll be able to see how the product could help to streamline your PCI DSS 4.0 compliance processes.
Get in touch today to start your free trial. We’re here to take the pain away from PCI DSS compliance.
