Cyber Defense Advisors

PCI DSS v4.0

2022 is the year that much of the world managed, to varying degrees of success, to get back to normal.  People ramped up traveling, returned to in-person activities and many returned to the office.  The pandemic changed most aspects of day-to-day life, but hackers and other bad actors generally continued making life difficult for businesses, governments, and non-profit entities.

As a result, there have been some innovative new ways to target networks and IT infrastructures that keep CISOs and their teams up at night.  A sample of those types of concerning threat vectors include Ransomware as a Service, targeting IOT/OT infrastructure, general supply chain attacks.  Tried and true methods, like phishing, and targeting unpatched or outdated systems to find vulnerabilities also continued.

Data shows that threats are increasing in volume and impact across every industry and government agency.  The Cybersecurity and Infrastructure Security Agency (CISA) recently reported that 14 critical US sectors have been the subject to intense ransomware attacks and the FBI identified over 2,000 ransomware attacks between January and July of 2022. (source)  CheckPoint estimates that 1 out of 40 organizations will be hit by a ransomware attack and 84% of those sees some amount of data exfiltration.  IBM appraises the average cost of a data breach at $4.3M and the recovery time from such attacks is approximately 22 days.

And with all of that said, the World Economic Forum still attributes 95% of all data breaches to human error.

The cybersecurity industry is fighting back.  The PCI Security Standards Council (PCI SSC) sorted through over 6,000 pieces of feedback from over 200 organizations, to help it create the new standard aimed at significantly reducing the success of these types of attacks in the future.  On May 31, 2022, the PCI SSC released version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS).  This provides an accepted baseline of technical and operational requirements designed to protect various types of user account data.  The updated standard and Summary of Changes document are available now on the PCI SSC website.

Version 4.0 is a significant update to the standard, so to enable organizations to understand the new requirements and plan, execute and test updates, the current version of 3.2.1 remains active through March 31, 2024.  Assessors are undergoing training and certification for the new standard now, and once available, they will be able to assess to either the current or new standard, based upon the plans of the organization. 

The new standard had many expected updates based upon evolving payment card industry security needs.  There are also changes to the frequency of expected effort, shifting from specific durations between work to the idea that security is a continuous process. 

The stated goals for PCI DSS v4.0 are as follows:

Continue to Meet the Security Needs of the Payment Industry;
Promote Security as Continuous Process;
Add Flexibility for Different Methodologies; and
Enhance Validation Methods.

Source: At a Glance: PCI DSS v4.0 (pcisecuritystandards.org)

PCI DSS compliance is a requirement for any organization that handles credit card or other types of payment card data.  Organizations that use this type of data without this compliance will face penalties and daily fines, not to mention risk of a data breach that could cost millions in settlements, legal fees and reputational loss.  Simply stated, ignoring this update is not optional if your organization plans to process credit card or other payment data.

With a fully trained team of PCI assessors, AT&T Cybersecurity Consulting can provide assessments, remediation consulting, program development, penetration testing and code review services that help companies achieve PCI compliance and general security best practices.  We are able to leverage solutions such as Unified Security Management (USM) as a tool to manage threat detection and response for an environment.  We are also able to provide managed services powered by best of breed technology platforms.  For example, Client Side Code Scanning services provide by the AT&T Managed Vulnerability Program (MVP) team can quickly and continuously monitor in-scope web application JavaScript and Content Security Policies (CSPs) to identify compliance gaps with PCI DSS 4.0 so that plans can be created for remediation.

To help further ramp on PCI DSS 4.0 details, you can review a couple of online resources from the PCI Security Standards Council:

PCI DSS v4.0 Resource Hub
PCI SSC Document Library

And when you’re ready to engage with one of the industry leaders in security compliance solutions, you can read more and then reach out to us via the web form, or contact your AT&T business partner.