A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
What’s New in PCI DSS 4.0? Breadcrumb Home Insights Blog What’s New in PCI DSS 4.0? January 4, 2023 In March 2022, The Payment Card Industry (PCI) Security Standards Council released the latest version of the PCI Data Security Standard (DSS), version 4.0. Its predecessor, PCI DSS v3.2.1, remains active for two years, meaning that PCI assessments started on or after March 31, 2024 will also require PCI v4.0 report submissions. At a high level, the 12 core PCI DSS requirements do not fundamentally change with the upcoming v4.0. The original v3.2.1 requirements remain the foundation of v4.0 and the existing methods used to measure compliance remain essentially the same. However, v4.0 updates focus on how the security controls should be implemented. Key goals of PCI DSS v4.0 include: Updating the standard to ensure it continues meeting security requirements Improving current requirements through validation methods and procedures Adding flexibility and support for methods to achieve the requirements Promoting PCI security as part of a continually improving process One noteworthy change in v4.0 introduces an alternate option for meeting compliance. Customized implementation, only applicable to those completing a Report on Compliance (ROC), considers an objective’s intent and allows businesses to design their own unique security controls to meet data security regulatory requirements. This change, however, also has the potential to cause confusion if organizations miss the intended rigor of the requirement. Qualified security assessors (QSAs) must carefully scope new assessments, taking the time to thoroughly explain the control intent. While this may be possible for businesses with mature PCI controls and experienced PCI employees, other businesses may have difficulty understanding the nuances of the language and therefore complying with the control intent. Building on a Zero Trust mindset, the v4.0 standard also lets organizations scale their authentication methods to fit their transaction control objectives and better align to the risk ecosystem. This is due to the PCI Security Standards Council, in partnership with Europay International, Mastercard and Visa, implementing the use of the “3DS Core Security Standard” during transaction authorization. Although the Zero Trust security model is not directly mentioned in the new standard, its differences from PCI v3.2.1 indicate a subtle shift away from precise technical specifications and toward a broader, more progressive view of achieving adequate control. Other v4.0 changes include recognizing the value of stronger authentication mechanisms within identity and access management (IAM) solutions for safeguarding cardholder data. This involves aligning more closely to the National Institute for Standards and Technology (NIST) authentication and lifecycle management models. As organizations within the payment industry migrate to cloud-based ecosystems, payment and control solutions must employ even stronger authentication methods. PCI DSS v4.0 addresses these requirements with: Multi-factor authentication (MFA) for all accounts with access to cardholder data (no longer limited to the overarching card holder environment) User passwords increased from 8 characters to 12 characters with alphanumeric complexity requirements Application and system passwords increased to 15 characters with full complexity requirements (alphanumeric, upper and lower case and special characters) Password changes required every 12 months or on suspicion of compromise. Prospective passwords are also compared to a list of known weak passwords Privileged access reviews every six months minimum Enablement of vendor and/or third-party accounts only as needed (and monitored while in use) In addition to compliance and authentication, v4.0 also has expanded data encryption to “trusted networks,” broadening requirements for encrypting cardholder data, for example, while a business waits for authorization. Finally, v4.0 sets the requirement for data discovery services to find all sources and locations of cleartext primary account numbers (PAN) at least once every 12 months. Discovery must also occur upon significant changes to the cardholder data environment or its supporting operational processes. This is to prevent malicious access to the environment. Once malicious code embeds in the network, cardholder data can be accessed at weak points in the data transmission path as authorization takes place. In closing, PCI DSS v4.0 should be a significant upcoming change for everyone involved in the payment card industry. In the meantime, expect plenty of debate, new council-issued guidelines and requirement clarifications leading up to March 2024 and beyond. By: Jay Nebel Security Consultant II | Optiv Security Consultant II, PCI Advisory Services, MPM, CISA, CIA, CISSP, QSA, CDPSE, PCIP By: John Seitzinger Technical Manager | Optiv Technical Manager, Strategy and Risk Services, CISSP, CISM, CISA, BSI ISO 22301 LA Share: Payment Card Industry Data Security Standard PCI DSS PCI DSS v4.0 Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com. Related Insights Image PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready? Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing. Image PCI DSS 4.0: A Primer The new Payment Card Industry Data Security Standard – version 4.0 – has been released. This post explores the details of the new standard. Image Payment Card Industry (PCI) Advisory Services Our PCI Advisory Services can build around your specific context, helping you to untangle competing requirements from multiple regulations.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.