PCI DSS version 4.0 is the latest iteration of the Payment Card Industry Data Security Standard, released on March 31, 2022, and currently in effect. The previous version, PCI DSS 3.2.1, will remain active until March 31, 2024, to give organizations time to adopt the latest version.
PCI DSS stands for Payment Card Industry Data Security Standard. It is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data. The standard was created in 2004 by five major credit card companies: Visa, Mastercard, Discover, JCB, and American Express. The primary goal of PCI DSS is to safeguard and optimize the security of sensitive cardholder data, such as credit card numbers, expiration dates, and security codes.
The standard’s security controls help businesses minimize the risk of data breaches, fraud, and identity theft. Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. The standard applies to all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS is not a law, but it is enforced through contracts between merchants, acquiring banks that process payment card transactions, and the payment brands.
The latest iteration of PCI DSS – version 4.0 – provides specific, actionable guidance on protecting payment card data that can be applied to organizations of any size or type that use any method of processing or storing data.
Key Differences Between PCI DSS 4.0 and 3.2.1
Some of the main differences between PCI DSS version 4.0 and the previous version include:
Compensating controls → customized implementations:
PCI DSS 4.0 replaces the concept of compensating controls with customized implementations, giving organizations greater flexibility in how they meet the standards.Updated security needs:
PCI DSS 4.0 aims to address developing threats and technologies, facilitate more effective ways to combat new threats to cardholder information, boost payment flexibility, and improve business procedures to meet security needs.Continuous security processes:
PCI DSS 4.0 places more emphasis on maintaining continuous security processes rather than periodic “check-the-box” activities.Enhanced validation:
PCI DSS 4.0 enhances validation methods and procedures to provide clearer evidence of compliance.Greater flexibility:
PCI DSS 4.0 adds flexibility and support for alternative approaches to achieve security outcomes.
The Four Core Goals of PCI DSS 4.0
PCI DSS version 4.0 addresses emerging threats and technologies by focusing on four core goals:
Ensuring that the standard meets the security needs of an evolving payment industry
Promoting continuous security processes
Enhancing validation methods and procedures
Adding flexibility and support for alternative approaches to achieve security
To achieve these goals, PCI DSS 4.0 introduces new requirements and modifies existing ones to address potential vulnerabilities and reinforce the security posture of organizations. Some of the changes include:
Detection and protection against phishing attacks
More stringent password requirements
Expanded use of multi-factor authentication (MFA)
Requiring that all vendor and third-party accounts are used only when needed and are continuously monitored for vulnerabilities and security risks
PCI DSS 4.0 also places greater emphasis on security results, giving businesses more flexibility to select the security technologies and methods that are suitable for their particular environment. The standard is designed to continue evolving to meet the changing needs of the payment card industry and the new technologies being implemented daily.
Authentication Requirements in PCI DSS 4.0
1Kosmos can help you meet the new PCI DSS 4.0 requirements, specifically the MFA and password requirements. These more stringent authentication requirements are designed to improve the security of cardholder data by making it more difficult for unauthorized users to access systems and networks.
Key authentication requirements for PCI DSS 4.0 include:
Multi-factor authentication (MFA):
MFA is required for all remote access to the cardholder data environment (CDE), as well as for all non-console administrative access to the CDE from within the entity’s network. MFA is also required for all access to the CDE from cloud-based or hosted systems.Stronger passwords:
Passwords must be at least 12 characters long and include a mix of upper- and lowercase letters, numbers, and symbols. Passwords must be reset every 90 days and cannot be reused.Account lockout:
Account lockout must be implemented to prevent brute-force attacks. After a maximum of 10 unsuccessful login attempts, users must be locked out for at least 30 minutes or until they verify their identity through the service desk or other means.Strong authentication for privileged accounts:
Strong authentication mechanisms must be used for all privileged accounts. This includes using MFA and/or complex passwords.
How 1Kosmos Helps Meet PCI DSS 4.0
The approach we follow at 1Kosmos ensures organizations can meet these requirements out of the box.
Our elegant self-service KYC workflow is an innovative identity proofing and authentication solution designed to remove friction during onboarding and accelerate customer acquisition. We then give those customers a convenient digital wallet that eliminates account takeover and financial fraud, and matches the authentication method to the risk associated with the activity.
With 1Kosmos, organizations can authenticate users via any of our methods depending on the business need, the risk profile of the activity, and the security requirement for each access request. These methods include:
A phishing-proof real biometric (LiveID)
Device biometrics (e.g., FaceID, TouchID)
Push message
Email/SMS/token
Third-party hardware token
Windows Hello
Mac Touch ID
All user data is encrypted and, for the highest level of security, stored in a distributed ledger compliant with the W3C DID standard. As such, data is accessible only via a FIDO2-certified public/private key pair secured in the TPM/Secure Enclave of a device and under the sole control of the user, typically via their live biometric selfie, made possible by our innovative LiveID feature. The distributed ledger also provides immutable audit logs to prove every transaction.
To learn more about 1Kosmos, visit the platform capabilities and feature comparison pages of our website.
Enter our orbit.
