It recognizes that there might be more than one path to achieving a security goal and it enables organizations to innovate, as long as they can demonstrate to an auditor that their approach meets security objectives. The customized approach provides greater flexibility and is aimed at organizations that want to use alternate security controls or new technologies. It’s quite the opposite – she says the defined approach is “suited for organizations that already have controls in place to meet a requirement and are comfortable with the current methods for validating those controls.” Lauren Holloway, director of data security standards for the PCI DSS Council, emphasizes that the customization option is not aimed at smaller, less tech-savvy companies that might be struggling to meet the standard and need a workaround. Gary Glover, vice-president of assessments at SecurityMetrics, a firm that conducts PCI DSS audits, says there are a total of 53 new regulations in PCI DSS 4.0 that apply to merchants and companies that store or process credit card data, plus another 11 that apply only to transaction processing service providers.Ĭustomization: The biggest change on a conceptual level is that PCI DSS 4.0 for the first time allows organizations to take a customized approach to compliance, rather than having to follow the defined requirements of the standard.įor example, the standard talks about passwords, but an enterprise might want to move to an entirely passwordless system that could entail tokens, smart cards, biometrics, encryption keys, or certificates, says Anthony Jones, head of the cybersecurity practice at AWA. What are the biggest changes in PCI DSS 4.0? And finally, they need to bring in a certified auditor or qualified security assessor to conduct a compliance review.įor enterprises, PCI DSS compliance could be a challenge because companies need to juggle these efforts with all of the other technology initiatives that consume IT staff resources, such as cloud migration or digital transformation, Terry says. Then they need to dig in and perform the required remediation activities aimed at bringing the organization into compliance with the new rules. First, companies need to conduct a comprehensive preassessment to identify gaps in their current systems. Ian Terry, director of cybersecurity services at AWA International, a consulting firm that performs PCI DSS audits, says that compliance is a three-step process. PCI DSS 4.0 compliance is a three-step process The new regulations touch on every aspect of security, including firewalls, anti-virus software, network segmentation, multifactor authentication, encryption, access control, active monitoring, intrusion detection, and incident response. “It is the latest major iteration of the PCI DSS standard and implements significant changes in requirements to focus on maintaining continuous security plus new methods to meet those requirements.” “This is a big deal,” says Marc Rubinnaccio, senior compliance manager at Secureframe, which helps companies automate their compliance efforts. The PCI DSS 4.0 document runs to 360 pages and covers everything from extremely specific items, such as requiring the minimum length of passwords be increased from seven to 12 characters, to general guidance on procedures and policies. The new regulations represent a significant change. That might seem like a long lead time, but experts say enterprises shouldn’t put off their PCI DSS 4.0 compliance efforts until the last minute. There will be a transition period, then organizations will need to be fully compliant with 4.0 by March 2025. The current standard, PCI DSS 3.2.1, will remain in effect until March 2024, when it will be officially retired. The new regulation – PCI DSS 4.0 – was unveiled in March 2022. Full PCI DSS 4.0 compliance required by March 2025 In an effort to reduce those losses and keep pace with the rapidly evolving threat landscape, global standards body the Payment Card Industry Data Security Standards Council (PCIDSSC) has issued a major upgrade to its rules governing how credit card data is to be stored, processed and protected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |