Highlights of the May 2024 edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.
As credit and debit cards continue in popular use—there were an estimated 1.25 billion cardholders in 2023—more businesses are required to adhere to the Payment Card Industry-Data Security Standard (PCI – DSS). PCI-DSS was rolled out in 2004 by the founding members of the PCI Security Standards Council: American Express, Discover, JCB, MasterCard, and Visa. The first major restructuring of the Standard, attributed to changes in how technology was being used by both merchants and attackers, came in 2013 with version 3.0. The Standard has not undergone a second major restructuring with the release of PCI DSS 4.0.
First e-commerce site launched in early 1980s led to a surge in payment card fraud, with VISA and MC reporting more than $750 million in online fraud between 1998 and 1999. Visa then develops its own security standards for companies that accept digital payments.
PCI-DSS is administered by card brands, the PCI security standards council: American Express, Visa, Mast5erCard, JCB and Discover.
Version 4.0 announced in 2022: Considered a best practice at this point and will become a required standard as of April 2025.
Five involved parties (cards and entities): card issuers, acquiring banks plus bank merchants and service providers, and cardholders
Four levels of PCI-DSS reporting:
Level 1: greater than 6 million payment card transactions annually
Level 2: between 1 million and 6 million transactions annually
Level 3: between 20,000 and 1 million transactions annually
Level 4: less than 20,000 transactions annually
Control Objectives:
Build and Maintain a Secure Network and Systems
Protect Account Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
12 Control requirements by Section:
Section 1. Install and maintain a firewall system to protect cardholder data
Section 2. Avoid vendor-supplied defaults for system passwords and other security parameters
Section 3. Protect stored cardholder data
Section 4. Encrypt transmission of cardholder data on open, public networks
Section 5. Protect all systems against malware and update
Section 6. Develop and maintain secure systems and applications
Section 7. Restrict access to cardholder data by business “need to know”
Section 8. Identify and authenticate access to system components
Section 9. Restrict access to cardholder data
Section 10. Track and monitor access to network resources and cardholder data
Section 11. Regularly test security systems and processes
Section 12. Maintain an information security policy that addresses information security for all personnel
Compliance validation:
Level 1 merchants must validate compliance through a qualified security accessor (QSA)
Level 2 merchant: through an internal security assessor (ISA)
Level 3 and 4: through an attestation self-assessment questionnaire (SAQ), from 29 requirements for point-to-point to 234 requirements for SAG-D (merchant).
Recommendation: Try to scope so your cardholder data environment is outside of PCI so you are not considered a merchant and can pass requirements to a service provider.
Version 4.0 is in effect, required as of March 31, 2024; changes from previous version include:
64 new requirements; some for 2024 and some required by April 25, 2005
New terminology: account data, card verification code, bespoke software, custom software developed for entity’s own use; from “malware” to “malicious software”; multi-tenant service provider; network security controls replaces “firewall”; trusted network (internal), and untrusted network replaces “internet”
Requirement #1: network security control
Changes in storage requirements: two for 2024 and three more for 2025
Transition change for 2025: how to encript data for transmission
Anti-malware changes include dealing with frequency of identifying risk, scanning requirements, and tools to protect against phishing
Security systems and applications; changes for 2024 relative to software changes and for 2025 where test environment terminology changes to preproduction
Section 8 changes involves consistency of passwords; will require a password change from 7 to at least 12 characters
Section 10 has four changes, including referring to business-as-usual control failures requiring a periodic review
Section 11 includes changes to intrusion protection and prevention requirements, and weekly checks for tampering
Many changes in requirement 12, including dealing with acceptable use, PCI scoping and incident response, and for 2025 about flexibility in scale, protocols for review, hardware and software protocols for reviews, service providers documented, and training for incident response
Recommendation: Put all changes in place even for 2025 as best practices. Some are complicated so best to implement them as soon as possible to avoid last-minute issues with required changes.
Overview of most impactful changes:
A lot to consider
Password changes from 7 to 12 characters, composition of passwords, and multifactor authentication are important and can take longer to put in place
A great deal of new terminology to learn, such as “untrusted network” replacing “internet.”
Speak to one of our professionals about your organizational needs
