Less than one year until the current PCI DSS standard is retired. How prepared are you for PCI DSS v4.0?
Date published: 13 Apr 2023
March 2022 saw the release of PCI DSS v4.0, the most significant change to the standard since 2004. We are currently in the transition period between v3.2.1 and v4.0 and now is the time for organizations to begin implementing controls in preparation for meeting the updated requirements.
Particularly as recent research conducted on behalf of Titania indicates that many commercial CNI organizations will need to make significant changes to their network security and compliance practices in order to comply with the new standard.
The PCI DSS v4.0 implementation timeline
Both versions 3.2.1 and 4.0 are currently active, but by the end of March 2024, it is expected that those with compliance requirements will have updated all forms and templates and have a plan for implementing the necessary changes.
Credit: PCI SSC
Following this, PCI DSS 3.2.1 will officially be retired, and organizations need to begin phasing in new controls if they have not yet started the process. From 31 March 2025 organizations will need to be able to validate the new requirements to remain complaint.
Recap: How have PCI DSS requirements changed?
The latest version of the standard was developed based on industry feedback, with over 6,000 pieces of feedback received. The changes are mapped to four main goals:
- Continue to meet the security needs of the Payment Industry
- Add flexibility for different methodologies
- Enhance validation methods
- Promote security as a continuous process
This last goal urges organizations to step away from time-based auditing and embrace practices that validate card payment data is continuously secure. For many organizations this will require a shift in mindset as well as investment in new solutions capable of continuously assuring compliance at scale.
Titania’s report findings indicate a lack of preparedness for PCI DSS v4.0
A study conducted on behalf of Titania highlights that oil and gas, telecommunications, and banking and financial services organizations are prime targets for threat actors that exploit vulnerable network device configurations to scale their attacks. And the key findings indicate current organizational approaches to securing Commercial CNI network infrastructure are leaving Cardholder Data Environments, as well as other critical segments of the network, vulnerable to attacks.
Almost all organizations reported analyzing firewalls annually, but not analyzing switches and routers when checking for misconfigurations. Furthermore only 37% could ‘very effectively’ categorize and prioritize compliance risks that undermine the security of their networks.
The findings show that given the current organizational approaches to network security, most companies cannot be continuously compliant with PCI DSS v4.0.
How can organizations prepare for PCI DSS v4.0?
By now, compliance teams are likely to have familiarized themselves with version 4.0 and should be reviewing all existing policies, procedures, and other cybersecurity activities against the new standard.
Following network security best practice will also help to ensure compliance. Three key steps include:
- Effective network segmentation
- Adopting a zero-trust mindset
- Abandoning sampling and shifting to continuous assessment even if only for critical segments of the network
Network segmentation is regarded as one of the most effective mitigating controls in security strategies. In fact, VentureBeat reported that organizations that adopt zero Trust segmentation as part of their zero-trust strategy save an average of $20.1 million in application downtime and deflect five cyber disasters per year.
Given the vitally important role that routers, switches and firewalls play in network segmentation, it's increasingly important that organizations focus on these devices to minimize their attack surface.
Verifying through policy enforcement rather than just trusting that those devices, people, and applications are secure is a key principle behind zero trust.
Security automation is needed to validate the security of all their network devices accurately and continuously. This is where vulnerability management software such as Nipper Enterprise comes into play. The solution identifies misconfigurations, as drift occurs, and continuously prioritizes remediation based on security and compliance risks. Visit our product page to find out more.
- US civilian federal agencies to impose CMMC-like rules on contractors
- Titania Report Reveals Less Than 40% of Senior Cybersecurity Decision Makers Effectively Prioritize Risks to Payment Card Industry Data Security Standard (PCI DSS) 4.0 Compliance
- New SEC Rules for Public Companies Reporting Cybersecurity Incidents to be Finalized in April
- Log4j vulnerability: The threat persists one year on
Organizations that used to treat compliance as an annual tick box exercise for a sample of network devices, have found that the recommendations set forth in PCI DSS 4.0 require a complete shift in mindset and approach to demonstrate they meet requirements and gain assurance that they are minimizing their attack surface.