New Payment Security Standards Update Fails to Convey a Sense of Urgency for Security

By Donnie MacColl, Senior Director of EMEA Technical Services at HelpSystems

Since 2004, the Payment Card Industry Data Security Standard (PCI DSS) has ensured that organisations processing or storing credit card information do so securely.

During the pandemic, when shops were either closed or no longer accepting cash as the preferred method of payment, the volume of payment card data increased dramatically. Since then, the volume of online transactions and use of point-of-sale machines continue to soar and, as most of the data is held in the cloud, so do the opportunities for cyber-attacks. These trends meant that the previous version of PCI DSS was no longer sufficient and a new version was required to update the guidance on security controls.

Now that PCI DSS V4.0 has been announced, many financial businesses are getting ready to implement the changes it brings. Companies have two years to plan their implementation, but must have everything in place by March 2025. The risk of working to this single deadline, however, is that it fails to create a sense of urgency and many of the security updates included in the new standard are best practices that businesses should already have established.

For instance, “8.3.6 – Minimum level of complexity for passwords when used as an authentication factor” or “5.4.1 – Mechanisms are in place to detect and protect personnel against phishing attacks” are listed as “non-urgent updates to implement in 36 months”. Considering the high level of cyber threat following events such as the Russian-Ukrainian conflict, this timeframe isn’t fast enough to raise the level of cyber protection needed by financial institutions and retail businesses today, posing a real threat to customer data and privacy.

In a wider sense, there are some important and revealing numbers that illustrate both its scope and limitations:

• 64 is the number of changes and updates between versions, representing positive progress.
• 13 is the number of differences that are effective immediately for all V4.0 assessments. This is useful but doesn’t go far enough, particularly because:
• 51 and 2025 – illustrate the core problems surrounding PCI DSS V4.0 in that 51 is the number of proposed changes that are classed as “best practice” between now and 2025 when they actually become effective – which is three years away.

This isn’t without precedent, however, and I recall the threats of huge fines and the risk of having credit cards as a payment method withdrawn if organisations failed to comply with PCI standards. In reality, the imposition of penalties has been relatively few and far between, and waiting a further three years to implement the new requirements contained within V4.0 seems to imply a lack of ownership that some of the changes deserve.

A phased approach?

Granted, there are a lot of changes to implement, but a better strategy would be to adopt a phased approach, i.e. prioritise changes required immediately, in 12 months, 24 months and 36 months from now rather than say they must all be effective in three years’ time. Without this guidance, it’s likely some organisations will shelve these projects to be looked at in two years’ time when the implementation plan deadline approaches.

Effective immediately for all V4.0 assessments includes items such as “Roles and responsibilities for performing activities are documented, assigned and understood”. These comprise 10 of the 13 immediate changes, so basically knowing what you should be doing already comprises the bulk of the “urgent updates”, whereas the following are updates that “need to be effective by March 2025”:

• 3.3: Anti-malware scans are performed when removable electronic media is in use
• 4.1: Mechanisms are in place to detect and protect personnel against phishing attacks.
• 2.4: Review all user accounts and related access privileges appropriately.
• 3.6: Minimum level of complexity for passwords when used as an authentication factor.
• 4.2: Multi-factor authentication for all access into the CDE (Cardholder data environment)
• 7.3: Failures of critical security control systems are responded to promptly

These are just six of the 51 “non-urgent” updates, and I find it amazing that the detection of phishing attacks and use of anti-malware scans are considered so. Today, with phishing attacks at an all-time high, I would expect any global financial institution with sensitive data to protect to have these in place as essential requirements, not something to have in place in three years’ time.

I do appreciate that just because they are specified in PCI 4.0 does not mean that companies have not already implemented some or all of the updates. I also appreciate that some updates require investment and planning, and for these purposes, PCI 4.0 needs to be more specific. For example, it states that security failures need to be responded to “promptly” which is simply too vague (does that mean 24 hours, 24 days or 24 months?). Stakeholders would be much better served with more specific deadlines.

While PCI DSS V4.0 represents a good basis for moving the standard forward, much of what it includes would benefit all stakeholders if it was implemented with greater urgency. In an era when payment card crime continues to be a ubiquitous risk, there is little to be gained from delay.

About Author:

Donnie MacColl is Senior Director of EMEA Technical Services. He has worked for more than 25 years in the IT industry, initially specialising in the management of IBM systems in manufacturing and logistics companies, and later in his career developing expertise in network and enterprise management.

A regular speaker at international events, he has worked with many industry sectors to help improve cost efficiencies and has implemented solutions across some of the largest data centres in the United States, Asia Pacific, and Europe. He specialises in cyber security, IT governance and compliance and advanced automation across multi-platform environments.