What Changes Does the
new PCI DSS v4 Bring?
1. Continue Meeting the Security Needs of the Payment Industry
Why It’s Important: Security practices must evolve as threats change.
Examples:
- Expanded requirements for multi-factor authentication.
- Updated password requirements.
- New requirements for e-commerce and phishing to address ongoing threats.
2. Promote Security as an Ongoing Process
Why It’s Important: Criminals never sleep. Continuous security is crucial to protect payment data.
Examples:
- Clearly assigned roles and responsibilities for each requirement.
- Added guidance to help individuals better understand how to implement and maintain security.
3. Increase Flexibility for Organizations Using Different Methods to Achieve Security Objectives
Why It’s Important: Greater flexibility provides more options to achieve the goal of a requirement and supports payment technology innovation.
Examples:
- Assignment of group, shared, and generic accounts.
- Specific risk analyses allow organizations to set frequencies for certain activities.
- The customized approach, a new method to implement and validate PCI DSS requirements, offers another option for organizations using innovative methods to achieve security objectives.
4. Strengthen Validation Methods and Procedures
Why It’s Important: Clear validation and reporting options support transparency and granularity.
Example:
- Greater alignment between information reported in the Report on Compliance or Self-Assessment Questionnaire and the summary information in the Attestation of Compliance.
Remember, compliance with the PCI Security Standards Council is mandatory. This is an open global forum dedicated to the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.
At Evertec, we are your business ally. If you have any questions, contact us for guidance.
References:
https://blog.pcisecuritystandards.org/pci-dss-v4-whats-new-with-self-assessment-questionnaires