Council updates data security standards for the payments industry

The PCI Standards Security Council released version 4.0 of the PCI Data Security Standard on Thursday. Pictured: Guests tap to pay with contactless cards at the Visa ID Intelligence launch party at Money 20/20 on Oct. 23, 2017 in Las Vegas. (Photo by Isaac Breken/Getty Images for VISA Inc)

Payments industry stakeholders released updates to data security standards Thursday to address emerging threats and technologies.

The PCI Security Standards Council has released version 4.0 of the PCI Data Security Standard (PCI DSS). These are technical and operational requirements designed to protect account information.

According to a PCI SCC press release, more than 200 organizations have provided feedback on more than 6,000 feedback items.

Examples of changes to the PCI DSS v4.0 are:

  • Updated firewall terminology for network security controls to support a wider range of technologies used to meet the security objectives traditionally achieved by firewalls.
  • Extension of requirement 8 to implement multi-factor authentication (MFA) for all access to the cardholder data environment.
  • Greater flexibility for organizations to demonstrate how they use different methods to achieve security objectives.
  • Addition of targeted risk analysis to give entities the flexibility to determine how often they perform certain activities, depending on their business needs and risk exposure.

Version 3.2.1 will remain active for two years to give organizations time to understand the changes, and will eventually be retired on March 31, 2024. The new requirements will come into effect on March 31, 2025. More details about the updates can be found in the Document PCI DSS v4.0 Summary of Changes.

“PCI DSS v4.0 is more responsive to the dynamic nature of payments and the threat environment,” said Emma Sutcliffe, PCI SSC senior vice president and standards officer, in the new release. “Version 4.0 continues to strengthen key security principles while providing greater flexibility to better accommodate diverse technology implementations. These updates are supported by additional guidance to help organizations secure account information now and in the future.”

Leave a Comment