PCI DSS version 4.0 is the latest iteration of the Payment Card Industry Data Security Standard, released on March 31, 2022, and is currently in effect. The previous version, PCI DSS version 3.2.1, will remain active until March 31, 2024, to give organizations time to adopt the latest version of the standard.
PCI DSS stands for Payment Card Industry Data Security Standard. It is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data. The standard was created in 2004 by five major credit card companies: Visa, Mastercard, Discover, JCB, and American Express. The primary goal of PCI DSS is to safeguard and optimize the security of sensitive cardholder data, such as credit card numbers, expiration dates, and security codes.
The standard’s security controls help businesses minimize the risk of data breaches, fraud, and identity theft. Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. The standard applies to all entities that store, process, or transmit cardholder data and/or sensitive authentication data. The standard is not a law but is enforced through contracts between merchants, acquiring banks that process payment card transactions, and the payment brands.
The latest iteration of the PCI DSS – version 4.0 – was released at the end of March 2022. The standard provides specific, actionable guidance on protecting payment card data, which can be applied to organizations of any size or type that use any method of processing or storing data.
Let’s review some of the key differences between PCI DSS version 4.0 and the previous version:
- Compensating Controls: PCI DSS 4.0 replaces the concept of compensating controls with customized implementations, which provides organizations greater flexibility in how they meet the standards.
- Security Needs: PCI DSS 4.0 aims to address developing threats and technologies, facilitate more effective ways to combat new threats to cardholder information, boost payment flexibility, and improve business procedures to meet security needs.
- Continuous Security Processes: PCI DSS 4.0 focuses more on maintaining continuous security processes.
- Validation Methods and Procedures: PCI DSS 4.0 enhances validation methods and procedures.
- Flexibility: PCI DSS 4.0 adds flexibility and support for alternative approaches to achieve security.
PCI DSS version 4.0 addresses emerging threats and technologies by focusing on four core goals:
- Ensuring that the standard meets the security needs of an evolving payment industry.
- Promoting continuous security processes.
- Enhancing validation methods and procedures.
- Adding flexibility and support for alternative approaches to achieve security.
To achieve these goals, PCI DSS 4.0 introduces new requirements and modifies existing ones to address potential vulnerabilities and reinforce the security posture of organizations. Some of the changes include:
- Detection and protection against phishing attacks.
- More stringent password requirements.
- Multi-factor authentication.
- All vendor and third-party accounts must only be used when needed and continuously monitored for vulnerabilities and security risks.
PCI DSS 4.0 also places greater emphasis on security results, giving businesses greater flexibility to select the security technologies and methods that are suitable for their particular environment. The standard aims to continue to evolve to meet the changing needs of the payment card industry and the new technologies being implemented daily.
1Kosmos can help you meet these new requirements specifically, the MFA and password requirements PCI DSS 4.0 requires. The new and more stringent authentication requirements are designed to improve the security of cardholder data by making it more difficult for unauthorized users to access systems and networks.
The following are the key authentication requirements for PCI DSS 4.0:
- Multi-factor authentication (MFA) is required for all remote access to the cardholder data environment (CDE), as well as for all non-console administrative access to the CDE from within the entity’s network. MFA is also required for all access to the CDE from cloud-based or hosted systems.
- Passwords must be at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols. Passwords must be reset every 90 days and cannot be reused.
- Account lockout must be implemented to prevent brute-force attacks. After a maximum of 10 unsuccessful login attempts, users must be locked out for at least 30 minutes or until they verify their identity through the help desk or other means.
- Strong authentication mechanisms must be used for all privileged accounts. This includes using MFA and/or complex passwords.
The approach we follow here at 1Kosmos ensures organizations can meet these requirements out of the box. Our elegant self-service KYC workflow is an innovative identity proofing and authentication solution designed to remove friction during onboarding to accelerate customer acquisition. We then give those customers a convenient digital wallet that eliminates account takeover and financial fraud and matches the authentication method to the risk associated with the activity.
With 1Kosmos organizations will authenticate users via any of our methods depending on the business need, the risk profile of the activity, and the security requirement for each access request. These methods include: a phishing-proof real biometric – LiveID and device biometrics plus, push message, email/SMS/Token, 3rd party hardware token, Windows Hello, and Mac TouchID.
All user data is encrypted, and (for the highest level of security) stored in a distributed ledger compliant to the W3C DID standard. As such, they are accessible only via a FIDO2 certified public/private key pair secured in the TPM/Secure Enclave of a device and under sole control of the user, typically via their live biometric selfie, made possible by our innovative LiveID feature. The distributed ledger also provides immutable audit logs to prove every transaction.