The latest Payment Card Industry Data Security Standard (PCI DSS), version 4.0, comes into force today. PCI DSS 4.0 requires that digital identities are tied to individuals, and has a focus on maintaining robust security amid evolving cyber threats. Retailers and others handling and processing payment card data are asked for more on security. While these have been best practices for some time, organisations must now fully comply with what’s laid out in the standard.
For more about the changes, see the PCI Security Standards Council website.
Comments
Randolph Barr, CISO at Cequence, said: “PCI DSS 4.0 is pushing businesses to modernise security, but many are still scrambling to catch up, giving attackers the perfect opportunity to strike.
“Account takeovers remain the biggest threat, but we’re also seeing a wave of new, highly sophisticated attacks exploiting every stage of the digital payment process. The common thread? APIs. Attackers are sidestepping traditional security defences and going straight for API endpoints that handle cardholder data – one of the most critical yet overlooked vulnerabilities. Businesses that focus only on compliance risk falling behind.”
Niall McConachie, regional director (UK and Ireland) at Yubico, says that PCI DSS 4.0 necessitates that organisations handling payment card data ensure they’re maintaining robust security, including strong multi-factor authentication (MFA). “This is particularly pertinent as these businesses are prime targets for cyber criminals through attacks like phishing, due to the vast swathes of sensitive financial data they possess.
“Failure to fully comply with the new regulations will not only see businesses lose their certification and receive hefty fines – they’ll also remain vulnerable to increasingly sophisticated cyber attacks, such as phishing. Vulnerable businesses in industries that process payments, including financial services and retail, also run the risk of serious reputational damage and a loss of trust from customers and stakeholders if they are attacked. It is extremely difficult to recover from this in these sectors.
“Perhaps most importantly, PCI DSS 4.0 specifically mandates the use of strong, modern MFA in line with best practices from the FIDO Alliance on leveraging FIDO-based authentication – bolstering cybersecurity for financial institutions and organisations dealing with payment processing information. To ensure compliance, businesses must implement phishing-resistant MFA for all employees and strive to create phishing-resistant users. Phishing-resistant MFA like device-bound passkeys ensure that, even if an individual’s credentials are compromised, attackers are unable to access information without possession of the physical key. Utilising a high-level security measure like this not only helps companies comply with PCI DSS 4.0, but also strengthens their dedication to safeguarding customer information while upholding brand integrity.
“This deadline signifies a critical juncture for businesses handling payment processing information. Ensuring compliance with the updated requirements is imperative for maintaining strong security and evading penalties, avoiding the repercussions that come from this.”
The PCI Security Standards Council is due to hold its European meeting from October 14 to 16 in Amsterdam.
