Credit cards are one of the most common ways an attacker can target an organization. Data breaches and credit card fraud can occur frequently, and protecting credit card data has become a key priority for organizations in retail and Financial Services (FS) especially.
That’s why the Payment Card Industry Data Security Standard (PCI DSS) emerged in 2004. It is a set of requirements that aims to ensure any organization that processes or stores credit card information, can do so securely. Those requirements are continually updated, and the latest version – PCI DSS 4.0 – was revealed in 2022.
How does PCI DSS 4.0 differ from previous versions, and how can you ensure your organization is ready for the changes?
PCI DSS 4.0 – Next-gen PCI compliance
PCI DSS 4.0 was brought in to address changes in behaviors around the use of credit cards over the past few years. The pandemic created a large spike in online payments and the use of Point of Sale (PoS) machines, so there was a significant increase in the volume of credit card data.
With much of this data stored on cloud platforms, there were additional opportunities for attackers to target. The previous version of PCI DSS was insufficient, and PCI DSS 4.0 was introduced.
The good news for organizations that struggle with PCI compliance is that the 12 core PCI DSS requirements have not fundamentally changed with PCI DSS 4.0. The main difference is that the requirements now focus on security objectives to guide how security controls should be implemented.
The main goals for PCI DSS 4.0 can be summarized as follows:
- Ensuring the standard meets the security needs of the payments industry.
- The promotion of security as a continuous process.
- Enhancing validation methods and procedures.
This focus on security in PCI DSS 4.0 is something we’ve been keen to see. One of the main specific changes concerns the need for stronger authentication requirements, acknowledging the role of Identity and Access Management (IAM) in safeguarding cardholder data. Another is expanded applicability for encrypting cardholder data, and both are areas in which Fortra has a hugely effective proposition.
Furthermore, organizations have time to implement these changes, while PCI DSS 4.0 goes into effect March 31, 2024, the transition period is set to end on March 31, 2025. This is intended to give organizations time to devise and implement changes to meet the updated requirements.
Achieving compliance
Many areas of potential PCI vulnerability – email correspondence, social media, 'contact us' web forms, chat platforms – expose the customer and organization to undue risk and error. In each case, payment card data is distributed through an organization and needs to be contained, secured, and managed within PCI DSS guidelines.
Fortra's Clearswift Secure Email Gateway Appliance
Clearswift’s on-premise Secure Email Gateway uses Adaptive Redaction technology to automate the scanning and redacting of payment card detail before it even enters the organization. This would mean the credit card number is replaced with hashes. This functionality also removes information that has been hidden, for example, in a hidden column or row in a spreadsheet that contains PCI data. Because of the OCR scanning, this even includes payment card information sent as scanned images or photographs.
This approach is one of the most effective components in ensuring PCI DSS 4.0 compliance. It only detects and removes the information that breaks PCI DSS guidelines, allowing the rest of the message to go ahead unhindered. This ensures there is no break in communication that occurs with 'stop and block' approaches.
Fortra's Agari DMARC Protection
As part of section 5.4.1: Anti-phishing mechanism protect users against phishing attacks, organizations are “encouraged to consider a combination of approaches.” Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol that identifies and quarantines malicious emails, and prevents fraudulent use of legitimate brands. A DMARC record provides anti-spoofing protection by using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records to validate messages.
If you do not already have these authentications in place, the time to start is now. Fortra automatically implements a full DMARC solution for you, even if you’re starting from scratch. The system scans the web and your DMARC reports to proactively identify and shut down spoofing attempts and lookalike domain attacks.
Get more information.
PCI DSS 4.0 is essential legislation, and non-compliance can result in a significant financial penalty or long-term damage to a brand. We've focused on this in more detail in our new report, "PCI DSS 4.0 – What Is Best Practice?"
