An overview of the changes to the new PCI Data Security Standard

The new PCI DSS standard adds new requirements that need to be implemented. It is recommended to perform a gap assessment of the requirements against your current security posture to identify areas for improvement. Many of the new PCI DSS requirements can be met by implementing an IAM system.

The Payment Card Industry Data Security Standard (PCI DSS) is a standard that was created in 2004 for all organizations that store, process, or transmit cardholder data. The standard establishes a baseline of security for credit card, cash-card and debit card transactions and protects the account information of cardholders.

It has gone through several iterations to keep up with the changing threat landscape. The current version (PCI DSS v3.2.1) will be retired on the 31 March 2024, to be replace by PCI DSS v4.0, which will be fully enforced a year later (31 March 2025). Compliance with the new standard is not optional; but which parts of the standard you need to comply with depends on how you process transactions.

The new standard updates the guidelines to improve protection and security against current threats, and modernizes the requirements to align with current best practices.
Compensating controls and a custom approach have been updated to allow companies to implement security controls that do not strictly follow the defined requirements, but still mitigate the risk associated with the requirement. These need to be discussed with your QSA (Qualified Security Assessor).

This custom approach is unique in each organization and tailored to its needs; however, it requires documentation, risk assessment and testing to prove that each customized control is proven effective and correctly implemented.

The 12 high-level PCI DSS requirements remain the same as in v3.2.1, but here are some of the most important and impactful new key requirements.

• Stricter password complexity requirements. User accounts in PCI DSS v3.2.1 required a password of no less than 7 characters, the v4.0 now requires a minimum of 12 characters and requires both numeric and alphabetical characters.  In addition, if the user account does not use Multifactor Authentication (MFA), the password must be changed every three months.

• Passwords for application and system accounts needs improved password security. NIST SP 800-63 and best practice require a minimum of 15 characters, alphanumeric characters, upper and lower-case letters and special characters. These passwords, which can be used for interactive logins, can no longer be hard-coded into scripts, files, or custom code. Hard-coding passwords is generally seen as bad practice in software development as it poses a security risk should an attacker ever gain access to the source code. Additionally, it makes accountability and password rotation a challenge. This requirement will lead to a revision of current code to ensure no hard-coded password remains followed by a proper implementation of credential storage mechanisms.

• Internal vulnerability scanning must use credentialed scans where applicable. This leads to a more accurate internal vulnerability detection but also increases the immediate number of vulnerabilities found. Currently, internal vulnerability scans must be performed at least every three months, with high and critical vulnerabilities being remediated. The requirement to have authenticated internal vulnerability scans will force IT security teams to set up credentialed vulnerability scans for all eligible assets and remediate new vulnerability findings – a task that can prove difficult depending on the infrastructure management and patch management procedures.

• Intrusion detection system (IDS) and intrusion prevention system (IPS) must detect, alert on/prevent and address covert malware communication attempts such as DNS tunnelling. This requires detection and scanning on endpoints, network security monitoring using IDS/IPS and traffic analysis.
  

Since everything connected to the PCI systems is considered in scope for the PCI DSS standards, it is critical to implement proper network segmentation, not only to limit the PCI DSS standard’s scope, but also to secure the network in general.