As COVID hit businesses around the world, and shops were either closed or no longer accepting cash as the preferred method of payment, we saw a dramatic increase in payment card data volume. Fast-forward to today, and the volume of online transactions and
use of point-of-sale machines continue to soar. As most of the data is held in the cloud, the opportunities for cyber-attacks are spiking at the same time, which means that the previous version of the Payment Card Industry Data Security Standard (PCI DSS)
is no longer sufficient.
Since 2004, the PCI DSS has ensured that organisations processing or storing credit card information can do so securely. After the pandemic, the guidance on security controls was in urgent need of an update. This is when the new version – PCI DSS v4.0 –
was announced. While companies have two years to plan their implementation, most financial businesses must have everything in place by March 2025. However, there is a risk of working to a long-lead deadline as it fails to create a sense of urgency, and many
of the security updates included in the new standard are practices that businesses should have already implemented.
For example, “8.3.6 – Minimum level of complexity for passwords when used as an authentication factor” or “5.4.1 – Mechanisms are in place to detect and protect personnel against phishing attacks” are listed as “non-urgent updates to implement in 36 months”.
With the high level of cyber threats following the Russian-Ukrainian conflict, this timeframe isn’t fast enough to raise the level of cyber protection needed by financial institutions and retail businesses which poses a real threat to customer data and privacy.
To break it down even further, there are some important and interesting numbers that illustrate both its scope and limitations:
Let’s look closer at the 13 immediate changes for all V4.0 assessments, which include items such as “Roles and responsibilities for performing activities are documented, assigned and understood”. These comprise 10 of the 13 immediate changes, which means
the bulk of the “urgent updates” are basically accountability points, where companies accept that they should be doing something.
And now let’s look at the updates that “need to be effective by March 2025”:
5.3.3: Anti-malware scans are performed when removable electronic media is in use
5.4.1: Mechanisms are in place to detect and protect personnel against phishing attacks.
7.2.4: Review all user accounts and related access privileges appropriately.
8.3.6: Minimum level of complexity for passwords when used as an authentication factor.
8.4.2: Multi-factor authentication for all access into the CDE (Cardholder data environment)
10.7.3: Failures of critical security control systems are responded to promptly
These are just six of the 51 “non-urgent” updates, and I find it unbelievable that the detection of phishing attacks and use of anti-malware scans are part of that list. Today, with phishing attacks at an all-time high, I would expect any global financial
institution with sensitive data to protect to have these in place as essential requirements, not something to have in place in three years’ time.
Despite the threats of huge fines and the risk of having credit cards as a payment method withdrawn if organisations failed to comply with PCI standards, only a few penalties were actioned so far. Waiting a further three years to implement the new requirements
contained within V4.0 seems to imply a lack of ownership that some of the changes deserve and is far too risky.
I appreciate that it does not mean companies have not already implemented some or all of the updates. However, for those who have not, actioning those updates will require investment and planning, and for these purposes, PCI DSS V4.0 needs to be more specific.
For example, if security failures need to be responded to “promptly”, does that mean 24 hours, 24 days or 24 months? I believe that stakeholders would be much better served with more specific deadlines.
While PCI DSS V4.0 represents a good basis for moving the standard forward, it should have been implemented with greater urgency. Granted, there are a lot of changes to address, but a better strategy would be to adopt a phased approach, i.e. prioritise changes
required immediately, in 12 months, 24 months and 36 months from now rather than say they must all be effective in three years’ time.
Without this guidance, it’s likely some organisations will shelve these projects to be looked at in two years’ time when the implementation plan deadline approaches. However, in an era when payment card crime continues to be a ubiquitous risk, there is little
to be gained from delay.