Watch: Payment Card Security: What’s New and Are You Ready?

Date May 22, 2024
Article Authors

Highlights of the May 2024 edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.

Watch on demand.

As credit and debit cards continue in popular use—there were an estimated 1.25 billion cardholders in 2023—more businesses are required to adhere to the Payment Card Industry-Data Security Standard (PCI – DSS). PCI-DSS was rolled out in 2004 by the founding members of the PCI Security Standards Council: American Express, Discover, JCB, MasterCard, and Visa. The first major restructuring of the Standard, attributed to changes in how technology was being used by both merchants and attackers, came in 2013 with version 3.0. The Standard has not undergone a second major restructuring with the release of PCI DSS 4.0.

  • First e-commerce site launched in early 1980s led to a surge in payment card fraud, with VISA and MC reporting more than $750 million in online fraud between 1998 and 1999. Visa then develops its own security standards for companies that accept digital payments.
  • PCI-DSS is administered by card brands, the PCI security standards council: American Express, Visa, Mast5erCard, JCB and Discover.
    • Version 4.0 announced in 2022: Considered a best practice at this point and will become a required standard as of April 2025.
    • Five involved parties (cards and entities): card issuers, acquiring banks plus bank merchants and service providers, and cardholders
  • Four levels of PCI-DSS reporting:
    • Level 1: greater than 6 million payment card transactions annually
    • Level 2: between 1 million and 6 million transactions annually
    • Level 3: between 20,000 and 1 million transactions annually
    • Level 4: less than 20,000 transactions annually
  • Control Objectives:
    • Build and Maintain a Secure Network and Systems
    • Protect Account Data
    • Maintain a Vulnerability Management Program
    • Implement Strong Access Control Measures
    • Regularly Monitor and Test Networks
    • Maintain an Information Security Policy 
  • 12 Control requirements by Section:
    • Section 1. Install and maintain a firewall system to protect cardholder data
    • Section 2. Avoid vendor-supplied defaults for system passwords and other security parameters
    • Section 3. Protect stored cardholder data
    • Section 4. Encrypt transmission of cardholder data on open, public networks
    • Section 5. Protect all systems against malware and update
    • Section 6. Develop and maintain secure systems and applications
    • Section 7. Restrict access to cardholder data by business “need to know”
    • Section 8. Identify and authenticate access to system components
    • Section 9. Restrict access to cardholder data
    • Section 10. Track and monitor access to network resources and cardholder data
    • Section 11. Regularly test security systems and processes
    • Section 12. Maintain an information security policy that addresses information security for all personnel
  • Compliance validation:
    • Level 1 merchants must validate compliance through a qualified security accessor (QSA)
    • Level 2 merchant: through an internal security assessor (ISA)
    • Level 3 and 4: through an attestation self-assessment questionnaire (SAQ), from 29 requirements for point-to-point to 234 requirements for SAG-D (merchant).
  • Recommendation: Try to scope so your cardholder data environment is outside of PCI so you are not considered a merchant and can pass requirements to a service provider.
  • Version 4.0 is in effect, required as of March 31, 2024; changes from previous version include:
    • 64 new requirements; some for 2024 and some required by April 25, 2005
    • New terminology: account data, card verification code, bespoke software, custom software developed for entity’s own use; from “malware” to “malicious software”; multi-tenant service provider; network security controls replaces “firewall”; trusted network (internal), and untrusted network replaces “internet”
    • Requirement #1: network security control
    • Changes in storage requirements: two for 2024 and three more for 2025
    • Transition change for 2025: how to encript data for transmission
    • Anti-malware changes include dealing with frequency of identifying risk, scanning requirements, and tools to protect against phishing
    • Security systems and applications; changes for 2024 relative to software changes and for 2025 where test environment terminology changes to preproduction
    • Section 8 changes involves consistency of passwords; will require a password change from 7 to at least 12 characters
    • Section 10 has four changes, including referring to business-as-usual control failures requiring a periodic review
    • Section 11 includes changes to intrusion protection and prevention requirements, and weekly checks for tampering 
    • Many changes in requirement 12, including dealing with acceptable use, PCI scoping and incident response, and for 2025 about flexibility in scale, protocols for review, hardware and software protocols for reviews, service providers documented, and training for incident response
  • Recommendation: Put all changes in place even for 2025 as best practices. Some are complicated so best to implement them as soon as possible to avoid last-minute issues with required changes.
  • Overview of most impactful changes:
    • A lot to consider
    • Password changes from 7 to 12 characters, composition of passwords, and multifactor authentication are important and can take longer to put in place
    • A great deal of new terminology to learn, such as “untrusted network” replacing “internet.”
Speak to one of our professionals about your organizational needs

"*" indicates required fields