Customization, multi-factor authentication are key features in PCI DSS v4.0 global payment benchmark. Credit: Rawpixel / Getty Images Standards are often force-fed to the industries they govern, but that doesn’t seem to be the case with the latest version of the PCI Data Security Council’s global Data Security Standard (PCI DSS). According to the council, during the three years it took to develop the new standard, more than 200 organizations provided more than 6,000 items of feedback.“The industry has had unprecedented visibility into, and impact on the development of PCI DSS v4.0,” says PCI SSC executive director Lance Johnson. “Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.”“We used to think that PCI DSS was a standard enforced onto us one-way, and it was something we could only accept passively,” adds Edward Mao, a senior manager in the Information Security and Privacy Governance Department at the Rakuten Group, an electronic commerce and online retailing company. “However, it is now something we do with key industry experts actively, creating a standard we believe in.” Organizations will have two years to digest PCI DSS 4Organizations will have two years to digest the new standard and make any changes from the current standard, PCI DSS 3.21, which will be retired on March 31, 2024. Key elements in the new standard include: Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewallsExpansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environmentIncreased flexibility for organizations to demonstrate how they are using different methods to achieve security objectivesAddition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposurePCI DSS v4.0 built for a zero trust mindset“One of the problems with crafting regulations or pseudo-regulations, like PCI-DSS, is that technology changes and what was once a meaningful security control ceased to be one,” says John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations company. “Firewalls mattered 20 years ago. You can’t get rid of them, but what you really want are network security controls that can do meaningful analysis and policy on a per-session basis, so the regulations needed to be changed.”Alex Ondrick, director of security operations at BreachQuest, an incident response company, maintained that PCI DSS v4.0 is built for a zero trust mindset. “It allows organizations increased flexibility to build and tailor authentication solutions to fit their requirements,” he says. “Arguably, the most important addition to PCI DSS v4.0 is the new requirement to implement multi-factor authentication for all accounts that have access to cardholder data. Although this is technically a best practice until March 31, 2024, it is a significant step toward securing systems and accounts which are accessing cardholder data.” Customized approach requires a mature appraisal of riskWhile organizations may be looking forward to the additional breathing room given to them by the customization and flexibility provisions in the new standard, Dan Stocker, director of Coalfire, a provider of cybersecurity advisory services, offers a note of caution. “Organizations will want to carefully consider their risk management options under DSS 4.0, especially where they are on the technology leading edge. The customized approach will give them great power but require a mature appraisal of the risk in deviating from the defined approach,” he says. “Likewise, where requirements allow flexible implementation, a targeted risk analysis will be required.”“These processes are brand new in PCI, and are worth a look,” Stocker adds, “even if they may not be right for every organization.” Related content news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe