PCI-DSS v4.0 – What Does it Practically Mean?
The PCI Security Standards Council (PCI SSC) issued version 4.0 of the PCI Data Security Standard (PCI DSS) on March 31, 2022. The PCI DSS is a global standard that establishes a baseline of technical and operational standards for protecting account data. It replaces previous version (3.2.1) to address emerging cyber-security threats, emerging business-models, and data processing technologies better and to provide innovative ways to address these threats in a highly complex operational ecosystem.
PCI-DSS 4.0 – Key Highlights
PCI DSS 4.0 is looking to address the ever-growing security needs of the payment industry, promoting various security guidelines and best-practices as a continuous process, increase flexibility, and improve procedures for organizations using different protection methods.
The new PCI-DSS 4.0 introduced multiple enhancements and changes to the standard, the below reflects the key items around customer and account data security. More information and other requirements can be found here
Account Data Protection Requirements
The revised DSS-PCI 4.0 emphasize the need to protect data (DAS, PAM) at a very fine-grained level, while encapsulating into the data access policy both the applicative end-user context, as well as the ability to factor into a policy any type and combination of attributes, from multiple sources, seamlessly applied consistently, across technologies, locations, users, and data.
- New requirement for customer account data retention and deletion
- New requirement for fine-grained access-control
- New requirement for encrypting at-rest all customer account data
- New requirement to enforce access on a need-to-know basis – Attribute Based Access Control
- New requirement to apply Dynamic Data Masking for PAN data, with fine-grained access control
- New requirement to restrict copy of PAN from remote access technologies
- New requirement to encrypt data in-use (upon consumption)
- Apply contextual access-control at data attribute level, with the ability to restrict access to partial attribute data
- New requirement for disk level encryption restricting removal of PAN to external data store
Cryptography Requirements Enhancement
- New requirement to ensure Network certification validity
- New requirement for maintaining an Inventory of trusted keys with key segregation
Focus on Data Access Privileges Requirements
Administrators and privileged users, having unrestricted access to data reflects significant risk. Similarly, assignment of such or similar roles to users must be carefully analyzed, monitored and revoked.
- New requirements for policies for managing and viewing account (data)
- New requirement for understanding users assigned access rights
- New requirements for all access to data via all types of applications must be policy driven
Focus on Visibility and Audit Requirements
Another dimension of significant importance raised in PCI-DSS 4.0 is around the criticality of real time visibility into every data processing transaction, by every user, from any location and technology. This visibility is critical for timely identification and response to identified risks
- New requirement for automated audit log mechanism
- New requirement for risk analysis
- New requirement to detect alert and action upon risk identified
- New requirement to be able to support customers’ requests
It’s Right Around the Corner: The Transition Period
After v4.0 is launched, PCI DSS v3.2.1 will be operational for two years. This transition period from March 2022 to March 31, 2024 is intended to provide organizations with time to familiarize themselves with the changes in PCI DSS v4.0, update their reporting templates and forms, and plan and implement changes to meet updated requirements.
As of March 31, 2024, PCI DSS v3.2.1 will be retired, and PCI DSS v4.0 will be the only active version of the standard. More information about the PCI DSS v4.0 implementation timeline can be found here.
Addressing PCI-DSS 4.0 with SecuPi’s Data Centric Security Platform
Following the endorsement of the new PCI-DSS 4.0 extended requirement for cardholder data protection and card processing security, SecuPi’s platform offers a superset of capabilities, specifically designed to address data security (SAD, PAM), applications and Visibility.
Few notable data-centric capabilities include:
– securing applications using Risk-adaptive Application Access using Attribute Based Access Control, Data Classification and tagging
– Dynamic Data Masking and Encryption for data in-transit.
– End-to-end data encryption from ingestion to consumption with full key-segregation, ensuring data cannot be re-identified (decrypted) by non-authorized users
– Multi-facet Attribute Based Access Control, enforcing contextual data access control based on any number of attributes (e.g., User, Session, Dataset, IP, Classification, Location, Catalog, HR, LDAP, Authentication, etc.), constantly enforced across all data stores and access tools
– Implement a single consolidated platform to address application and data security requirements, instead of deploying a fragmented set of point products, delivering siloed controls and relying on coding views with high implementation and maintenance costs.
– End-to-end visibility and monitoring of every user data and assets access transaction across all data access and processing tools
– Full segregation of Duties over policy definition and policy enforcement