On March 31, 2022, the PCI Security Standards Council (PCI SSC) released the latest version of the PCI Data Security Standard (PCI DSS), outlining technical and operations requirements for establishing security measures around payment security. It replaced a myriad of compliance programs to reduce confusion and inconsistencies that plagued the process in the past.
The current 4.0 release replaces PCI DSS 3.2.1, released in May 2018. The PCI SSC received input from various organizations to help them develop the new standard. That was done to help the new guidelines align with the realities of business entities tasked with implementing updated security controls.
Organizations have 24 months from the publish date of PCI DSS 4.0 to transition fully to the new standard. In the meantime, businesses need to understand the most significant changes between PCI DSS 3.2.1 and 4.0 and their impacts on established policies. The latest version attempts to address more ambiguous areas that can be interpreted differently.
Let’s look at the most significant changes in the guidelines and their impacts on businesses.
Section 8 of the PCI DSS now includes a requirement to implement multi-factor authentication (MFA) for anyone needing to access the cardholder data environment (CDE). Organizations need to have more than one method of authenticating users. The goal is to reduce the probability of an attacker pretending to be a legitimate user and gaining access to a company’s system.
That means organizations must move on from only requiring a single password for access. The new requirement doesn’t apply to system or application accounts performing automated tasks. There’s no need to make updates to point-of-sale terminals that only access one card number at a time for sales transactions.
The new MFA requirements apply to access to CDE by
• Any personnel connecting from outside a business entity’s network
• Any remote access given to vendors and third parties
There’s no need to apply MFA for remote access given to parts of the system separated from CDE. They do apply for the following system components:
• Cloud infrastructure
• Hosted systems
• On-premises applications
• Network security devices
• Workstations
• Servers
• Endpoints
• Web-based access to applications or functions
Any MFA system put in place must meet the following standards:
• It must not be vulnerable to replay attacks, where criminals intercept secure network communication and either delay or redirect it for the hacker’s purposes.
• Users must not be able to bypass the MFA system without an authorized, time-limited exception.
• It requires satisfaction of all factors before granting access.
Another impactful change from the PCI DSS 4.0 update is a new requirement to expand the minimum length of passwords. Instead of seven, businesses must require passwords to be at least 12 characters long. If a company’s systems cannot support that length, then the password must be of at least eight characters. The update applies only to passwords and phrases used in MFA.
Service providers with customers who use only one password to access information must change them at least once every 90 days. If that doesn’t happen, the company should automatically review the security of those accounts and prompt a change. Another update to password policy in PCI DSS 4.0 includes prohibiting hard-coding of passwords into files or scripts used for interactive login.
The new PCI DSS updates recognize the need to add accountability around system and application accounts management. Many companies allow interactive access to these accounts, where they mimic the actions of regular users. Any system or application accounts used for interactive logins must be managed in the following manner:
• Stop using the accounts for interactive purposes unless there are exceptional circumstances
• Add a time limit around any exceptions for interactive use
• Document the business justification for allowing an account to be used for interactive purposes
• Get explicit permission from upper management for interactive use by the account
• Confirm the identity of individual users before granting access to an account used in this manner
• Attribute every action taken by the account to an individual user
• Businesses should configure system and application accounts to prevent hijacking by unauthorized users.
Section 3, which addresses protections around account data, added new requirements for businesses to minimize the amount of sensitive authentication data (SAD) they store before receiving authorization. The standards around what data to keep and how to dispose of the information should be defined in a company’s retention policy.
Businesses will need to review what information gets kept by a third-party service provider (TPSP), like one that provides cloud services, and ensure they meet those standards. Once stored data exceeds the period outlined in a retention policy, organizations need to find a way to delete the information or make it unrecoverable.
An excellent practice to implement would be to have automation tools running to monitor storage areas that hold SAD. All results should be validated and recorded as completed.
Another data change that impacts companies is a requirement to place restrictions around moving personal account numbers (PANs) using remote access technology like a virtual desktop. Companies need to implement technology that keeps unauthorized users from copying or relocating PAN information from remote devices.
Only individuals with proper authorization and a legitimate business reason should have the authority to move or copy PAN data. Other new restrictions that apply to PANs include:
• Requiring keyed cryptographic hashes to make PANs unreadable
• Only allowing encryption processes on removable media or non-removable media that uses a secondary method to make PANs unreadable
• Requiring businesses to validate the certificates used to transmit PANs over an open network
Business entities will have set up evaluations of system components determined not to be at risk for a malware attack. The frequency of the reviews should depend on the potential of bad actors going after seemingly safe pieces of company system infrastructure.
Organizations must also install a malware solution to protect removable electronic media. The security tools should automatically scan media upon insertion, connection, or mounting. Alternatively, the solution should execute an ongoing behavioral analysis of all systems or processes upon insertion or connection of the removable media.
New security should be placed around public-facing web applications. The security tools should provide ongoing detection and prevention of web-based attacks. Businesses must also identify and list any bespoke, custom, and third-party software to make it easier to manage vulnerability and patch management. Companies can acquire inventory tools that help them with software inventory to accommodate that.
The new PCI DSS standard also requires business entities to
• Maintain an up-to-date list of point-of-interaction (POI) devices that interact with a customer’s card
• Implement automation to perform audit log reviews
• Perform targeted risk analysis to come up with a way to define when to perform log reviews for all system components
• Provide a quick response to any security control failures
• Document the scope of PCI DSS at least once every 12 months or when there is a significant change to an in-scope environment
The new changes emphasize the need for organizations to implement MFA for access to CDE environments. Other updates include expanded requirements around password security, increased protections against malicious software, and better management of system accounts.
Kiuwan offers various security solutions to help business entities comply with the standards outlined in PCI DSS. Learn more about how we can help your company prepare for the full implementation of PCI DSS 4.0 by scheduling a consultation.