The Payment Card Industry (PCI) Security Standards Council recently released its Data Security Standards (DSS) version 4.0, which is “a global standard that provides a baseline of technical and operational requirements designated to protect payment data.”
Version 3 of the standards was released six years ago, and while there have been updates along the way, a lot has changed in the industry from a technology and security perspective; hence the need for a full version update of the standards.
Any organization that accepts, transmits or stores any cardholder data falls within the purview of PCI, and must comply with the new standards within the proper transition period. The previous version (PCI DSS v3.2.1) will be retired on March 31, 2024, and some new requirements from v4.0 will go into effect on March 31, 2025.
No matter the timing, awareness of these updates and how they apply to your organization is important to ensure both regulatory compliance and secure transactions for your customers.
What’s New in PCI DSS v4.0?
The newest version of the PCI DSS standards are designed to meet the continually changing needs of the payments industry, especially when it comes to protecting and securing transactions. As the industry evolves, so do security threats, and the updated standards are meant to enhance current security measures.
Two intriguing updated requirements – #2 and #8 – are ones we want to shed light on in particular.
Requirement 2 concerns applying secure configurations to all system components. Acknowledging that bad actors use well-known “default passwords” to easily compromise systems, the new standards now require organizations to have security standards that will “help reduce the potential attack surface.” PCI states that changing default passwords and removing unnecessary software can address this vulnerability.
With regard to Requirement 8, PCI updated the standard to help identify users and authenticate access to system components. This requirement is meant to protect against attacks by requiring strong authentication factors and providing updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters. Service providers that use passwords as consumers’ only authentication factor are also advised to update passwords every 90 days.
However, 90-day password rotation is something we at SpyCloud hoped would fade away years ago since it’s actually beneficial to criminals. When forced to create a new password every three months, human behavior defaults to reusing passwords or similar variations of the same password, which creates vulnerabilities that criminals are waiting to exploit. Therefore this requirement is one that we can’t say we agree with.
Recognizing the industry’s move to the cloud, PCI DSS v4 puts more emphasis on multi-factor authentication (MFA) and lifecycle management to incorporate additional layers of security to online payments. Key updates include requiring MFA for all accounts that have access to cardholder information, comparing prospective passwords to the list of known bad passwords, and reviewing access privileges at least once every six months.
Also of note with the updated requirements is the repeated reference to malware and malicious actors. PCI specifically states the updates were made “to address emerging threats and technologies and enable innovative methods to combat new threats.” The updated standards require the use of anti-malware solutions on all systems that are at risk from it; a critical step in protecting cardholder data from hard-to-detect threats.
Enhance Payment Security with SpyCloud
At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Our 2022 Annual Identity Exposure Report, in which we analyze the more than 15 billion credentials and PII assets recaptured from the criminal underground in 2021, uncovered a 64% password reuse rate for users with more than one password exposed in the last year.
When your consumers reuse passwords, they become easy targets for cybercriminals. Since reused passwords have been the leading vector in cyberattacks in the last few years, the PCI DSS updated guidelines putting more stringent requirements around password length and security is something we can get behind.
Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases. These activities can not only damage your brand and your bottom line, but also put you at risk for noncompliance with PCI DSS v4.0.
With Consumer ATO Prevention, you can match your consumer logins against SpyCloud’s robust database of stolen credentials and reset passwords before criminals can profit from your consumers’ accounts.
We also appreciate PCI DSS v4.0’s focus on malware, as we are seeing an increase in malware logs in our recaptured data. Information pilfered by malware-infected devices is shared in small criminal circles, private chat groups, and also posted on underground web forums. SpyCloud is able to recover this data and deliver malware intelligence to enterprises – automated feeds of infected victims’ usernames, URLs, passwords, and session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud.
The increase in online transactions over the last few years lent itself to an explosion in online fraud, resulting in a 140% increase in the volume of fraud attacks last year compared to pre-pandemic levels. To combat this, the evolution of compliance standards to take into account the impacts of exposed passwords and other information can help protect enterprises and consumers alike.