background image


What’s new about PCI DSS 4.0?


In a way, the credit and debit card industry is a key factor that drives the world of finance and economies. The current pandemic seems to have further propelled not just the usage of card-based and other online payment methods, but also caused a surge in fraud, leaving users to be duped and businesses to be more vulnerable.

In the UK, card payments were 75.3% higher in early April 2020, compared to the same period in 2019, while contactless payment rose, making the switch to contactless even more appealing.[1]

It was the Payment Card Industry Data Security Standard (PCI DSS) that established a firm set of guidelines, back in 2004, to help reduce credit card fraud.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.[2]

With cardholder data such as card holder’s name, primary account number, expiration date and service code becoming sacrosanct, the efforts to protect this information had already gained momentum, before the standard was introduced.

The organizations need to fulfil a variety of requirements to comply with the new PCI DSS 4.0 standard. A few of the requirements are secure networks and systems, protecting cardholder data, implementing strong access control measures and improving on the weak access control measures, monitoring/testing, and maintaining an information security policy. Each component has many aspects, such as securing networks has the element of the network intrusion detection and prevention systems to be employed. Another aspect would be the use of CAPTCHA on critical functionalities, that is, when a user is registering and entering payment information, to thwart automated attacks. The standard has 12 PCI DSS requirements and over 100 security controls.

The origin of PCI DSS?

The 2000s saw the boom of eCommerce, which needed the backing of the payments card industry to be successful. With the increasing sale and purchase of goods and services online, monetary exchange through cards was the mainstay. With it, came card-based frauds, which impacted the users and negatively affected the eCommerce industry as a whole. The credit card companies rallied to innovate on new ideas in order to secure the cardholder environment. In 2004, the founding companies of PCI DSS, including American Express, Discover, Visa, MasterCard and JCB International established the first version of PCI DSS.

What PCI DSS lacked?

PCI DSS was earlier criticized for being very expensive to implement, time-consuming and confusing to comply with. Every version brought about progressive changes and with the emerging cybersecurity threats, it will continue to evolve. The earlier versions were prescriptive in nature, which created confusion in the industry, as businesses didn’t know how much to aim for and attain in terms of all the areas.

What’s new with PCI DSS 4.0?

PCI DSS 4.0 is the latest version of this standard and is expected to be released by mid-2021, by the PCI Security Standards Council, which is responsible for it. The PCI DSS 4.0, which is the tenth version has many new aspects, including compliance by businesses.

  • The PCI DSS 3.2.1 had many strict requirements, which dictated how the objectives must be achieved. The rules of compliance of PCI DSS 4.0, on the other hand, are expected to be much more flexible.

  • It replaces the compensating controls with an alternate option, that is, customized implementation. Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.[3]

  • Enterprises can also expect new control requirements, such as an expansion of the encryption of cardholder data over any transmission, including within trusted networks.[4]

  • Another change in the new version would be the implementation of cloud services, which means another set of security protocols, with the platform as a service (PAAS), network as a service (NAAS), etc. being widely used.

  • The additional guidelines will have a key focus on security, which the payment card industry will have to adopt as a continuous process.

The businesses have enough reason to comply with these standards because PCI DSS non-compliance can lead to monthly penalties by the credit card companies (Visa, MasterCard, Discover, AMEX) and legal action, besides the loss of revenue and harm to its reputation.

Now, especially with COVID-19, the users are increasingly bothered and worried about how their credit or debit card data is used, validated, processed, stored and transmitted by businesses, banks, retail chains, merchants and other parties, as frauds continue to rise. With e-wallets and Unified Payments Interface (UPI)-based payments coming into the mix, the security of cardholder data is paramount for the success and continuation of such payment methods into the future era.

[1] COVID-19 Increase in Card Payments is leading to an increase in Adapted Fraud Schemes | PaymentsJournal

[2] Payment Card Industry Data Security Standard – Wikipedia

[3] The Complete Guide to PCI-DSS 4.0 | ColorTokens Zero Trust Cybersecurity

[4] The Complete Guide to PCI-DSS 4.0 | ColorTokens Zero Trust Cybersecurity