As the new year begins, it’s a time many of us will take a moment to review our data security practices in preparation for the year ahead. It doesn’t seem that long ago that I was in Dublin at the PCI SSC European Conference meeting with my peers and talking about what is new in the Payment Industry world. I sometimes find it hard to comprehend that I’ve been working in Payment Security for over 20 years and in that time, we have responded to many incidents, helped with countless PCI Compliance projects and made lots of new friends in the industry. We have seen standards evolve slowly to keep pace with the ever-changing threat landscape, but we are only ever playing catch up, as new methods of accessing personal data are found and developed.
One of the key pieces of news in the industry, and the buzzword in Dublin, is PCI DSS Version 4.0.
This new iteration of the Payment Security standard is a large step forward and probably the biggest upshift we have seen since its inception. More technical tools are going to be required in order to meet the controls, especially for those merchants operating online. This kind of makes sense though, as we all know one of the biggest threats to any business taking card payments is for that data to be illegally accessed or intercepted. Fraud costs alone can be crippling for a business but added to the additional expense and disruption of having a forensic investigation done in a short space of time and undertaking the necessary remedial steps to contain the breach and develop new secure platforms, not all businesses survive.
So, Has 2023 Proven to Be a Turning Point in the Payment Security Landscape?
Well, one thing that has been noted is that the number of data breaches are increasing every month. We have seen more well-known high street brands that have been attacked but does this make headline news nowadays? No, not really. It seems as though events that once would have been headline stories on the evening news, are no longer even reported on… They have become too regular to even be categorised as newsworthy.
It seems even the major players in the financial industry have adopted this stance and accepted that data loss is going to happen. The card schemes have adjusted their thresholds for triggering off an investigation of such events too. A few years ago, any compromised entity would have undergone a thorough investigation to ascertain the root cause of the breach and would have been given assistance to contain and remediate the issue as quickly as possible. This only happens now for the very largest of incidents.
The large step forward in securing the online payment space offered by PCI DSS Version 4.0 will hopefully go some way to fill this gap but it will take time. Many of the new requirements are not mandated to be fully in place until 2025, so we still have stormy waters ahead. Navigating through that storm will require careful interpretation of the new requirements and a better understanding of how web attacks can be prevented. Knowing the Java Scripts that are running in the browser will be a big leap forward and additional testing will help to spot issues in a more timely manner.
The takeaway from this is that 2024 will be another challenging year. Data breaches have almost become the accepted normality now, which is worrying for anyone that purchases things online. When the new standard kicks in, we may see a change but, in all honesty, don’t expect anything visible for at least 18 months.
About PCI DSS 4.0
PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard. PCI DSS 4.0 was first published in April 2021 and went live at the end of last year. The old version of the PCI standard is retired in March 2024 and any new assessments undertaken after 31st March 2024, will need to be completed using the new standard. Many of the newer, more technical controls have been marked as ‘best practice’ until March 2025, when they will become mandatory.
Need Help Transitioning to PCI DSS 4.0?
3B Data Security are a specialist cyber security consultancy organisation with a wide range of services covering PCI DSS compliance, cyber security, information security, breach response and much more.
As a leading organisation in the payment card industry, 3B Data Security understand the importance of PCI DSS compliance and the challenges that come with it. If your organisation needs help transitioning to PCI DSS 4.0, our specialist team can help. Our consultants have been carefully and selectively recruited for their unique blend of qualifications and expertise, and have over 25 years of experience in the payment card industry.