PCI DSS 4.0 is set to start its phase-in during the first part of next year, with full implementation to follow in 2025. That may seem like a way’s off, but as cybersecurity expert Erfan Shadabi explains, complying with the new standards may mean revolutionizing how you handle data.
Regulatory mandates for data security, protection and privacy are as common as they are difficult to manage for compliance teams. For financial services organizations, the Payment Card Industry Data Security Standard (PCI DSS) has a new update set to take effect partially in March 2024, with full implementation a year later in March 2025. This update, like all previous updates, will be in the pursuit of protecting and securing cardholder information for all major card brands. PCI DSS version 4.0 will replace the previous standards in a few different areas, and overall, it is meant to protect the security of cardholders and to reduce fraud and other cyberthreats related to personally identifiable information (PII).
But time is running out. While 2025 sounds far off now, the actual process of getting an entire organization up to standard could be very intensive if not approached correctly.
What’s new with PCI DSS v4.0?
Some of the areas that PCI DSS v4.0 addresses include the following:
- Scoping validation
- Regular reporting standards
- Classification of data by risk
- Cardholder data transmission protection
- Anti-phishing and social engineering attack considerations
- Inventories of systems and applications
- Authentication, password and encryption requirements
In an update like this, there are a plethora of aspects for payment industry organizations to consider as they strive to get their data practices in order and to mitigate noncompliance. By March 2025, these organizations must be fully compliant with all of the above and all other considerations as stated by PCI DSS 4.0.
This is no small feat. Achieving compliance in the face of these new and improved regulations requires the complex coordination of employees, teams, departments and various operations. In other words: the entire organization.
Most companies are woefully underprepared to meet an approaching compliance deadline for updated payment security standards, according to a new report.Read more
Data discovery and classification
How should these organizations go about reaching PCI DSS compliance? The answer is data discovery and classification. Think of it like a map that aids organizations to achieve and maintain compliance with data security and protection regulations.
Frequently, organizations undertake manual data discovery, which can be a mistake. This approach often leads to substantial data oversights due to the challenges of comprehensively identifying all the diverse locations where data may reside. Additionally, today’s interconnected systems make it increasingly difficult to track data effectively. Existing data tracking systems primarily focus on known data, which, while beneficial, leaves organizations vulnerable to compliance challenges, particularly when confronted with stringent regulations like PCI DSS v4.0, where unidentified data poses significant complications.
As PCI DSS 4.0 takes full effect in less than two years, it is important for organizations to begin their compliance journey now. The consequence of noncompliance is much too high for organizations to ignore these regulations or even be mildly lax about them. One example of a stunning noncompliance penalty was following a data breach in 2017 against Equifax. This resulted in more than $400 million to be paid in penalties.
Looking even more broadly, however, it is also true that an organization can be PCI compliant but may still be attacked by cybercriminals. For example, in 2018, the PCI-compliant airline British Airways was hacked. An estimated 400,000 individuals had their data compromised in this attack, and the company was fined despite compliance with set standards.
Compliance is only one of the goals
The example of the British Airways hack shows why it is important that organizations under the purview of PCI DSS ought not only seek compliance but also to aim for organization-wide resilience and security for all data. In this case, a company’s data discovery and classification system can keep them informed and well-armed for the sake of being informed and well-armed. Every company should strive for this, as it will protect their data integrity and organizational strength in the long run. Seek compliance and above all, seek knowledge.