Introduction
When it comes to cybersecurity, compliance may not be the most eye-catching topic, yet it is undoubtedly significant. In the current digital age, security teams play a vital role in Governance, Risk, and Compliance (GRC) concerns thereby warranting their due recognition in any security organization’s objectives and priorities.
Notably, various compliance standards and frameworks have recently adopted requirements that echo security best practices rather than mere checkboxes, making the case for PCI DSS 4.0, the newest credit card standard, all the stronger. Let’s delve deeper into its facets and what security professionals can glean from the changes.
The Noteworthiness of PCI DSS 4.0
The Payment Card Industry Security Standards Council (PCISSC), comprising main credit card industry players like Visa, Mastercard, American Express, Discover, JCB International, and UnionPay, are responsible for setting up and administering the credit card standard. As per this norm, every entity accepting credit card payments needs to ensure the security of card users’ data. Hence, any business dealing in credit card payments must adhere to the PCI DSS 4.0 standard that was rolled out in March 2022, with a two-year transition period. From March 31, 2024, onwards, PCI DSS 4.0 will be the sole active version of the standard.
Security Aspects of the PCI DSS 4.0 Standard
Let’s focus on some of the most prominent changes in v4.0, particularly concerning us as security professionals:
Avoidance of Malicious Scripts
With an increasing number of attacks and fraud occurrences involving malicious third-party scripts, PCI DSS updated their standard to include specific requirements for managing payment page scripts and deploying mechanisms to detect skimming. Thus, businesses need to ensure no malicious scripts exist on their payment pages and regularly monitor these scripts for any suspicious activity as needed.
Installation and Maintenance of Network Security Controls
The upgraded PCI DSS standard emphasizes the need for implementing and maintaining network security controls. It indicates that, in today’s complex network realm, securing your business entails devising a solution for network security concerns in hybrid and multi-cloud settings, preferably through a distributed cloud strategy.
Development and Maintenance of Secure Systems and Software
Requirement 6 of the updated standard hints towards the need for appropriate API security and the significance of a secure software development lifecycle (SSDLC). It further implies that businesses need to remain alert to system changes and ensure that these changes adhere to proper change control procedures. By securing APIs, businesses are ensuring a key aspect of modern business operations remains safeguarded.
Logging, Visibility, and Monitoring
Company logs need to be accessible across all environments, as detailed in Requirement 10 of the update. Every business must confirm that they have appropriate logging and monitoring capabilities across their hybrid and multicloud environments and use this visibility to monitor these areas for security, fraud, abuse, and compliance issues effectively.
Conclusion
The PCI DSS 4.0 update may focus on payment card security, but its importance extends far beyond that scope. It provides much needed, updated guidance to security teams amidst an evolving threat landscape and the increasing prevalence of hybrid and multicloud environments. By absorbing its learnings and implementing its recommendations, security professionals can significantly bolster their businesses’ safety measures.
Related Links:
https://www.darkreading.com/cybersecurity-operations/pci-dss-4-0-is-good-security-guidance-for-everyone