Are you tuned in to the rising rhythm in the air? Tick tock, it amplifies, signaling the immense importance of PCI DSS v4.0, the latest version of the Payment Card Industry Data Security Standard. This transformative framework is reshaping data security on a global scale, and to ensure a secure path forward for your organization, the time to start planning and prioritizing for it is now.
Compliance with PCI DSS is crucial for businesses accepting credit card payments, whether this be online, in-store or even via the telephone. Although we acknowledge that the sunset date for PCI DSS v3.2.1 is 2025, Adyen will start to actively encourage merchants towards certifying against the latest standard as soon as possible. The good news is that we’re certified against PCI DSS v4.0 and have curated the essential information you need to ensure a seamless transition to the new framework.
In a nutshell
PCI DSS v4.0 was released in Q1 2022, and it introduces expanded requirements in key security and technology areas, including mobile phones and tablets, contactless payments, cloud adaptation, new software development practices, and increased reliance on third-party services.
It is primarily driven by four key objectives set by the PCI Security Standards Council: 1. Meeting the evolving security needs of the payments industry. 2. Adding flexibility and support for diverse security methodologies.
3. Encouraging a continuous security process mindset for businesses.
4. Enhancing validation methods and procedures to ensure robustness.
PCI DSS v4.0 will replace v3.2.1 after March 31, 2024, with a two-year transition period. While there are substantial changes, it's important for companies to review and prepare for v4.0 sooner rather than later due to the complexity of the updates.
Key changes for ECOM
While each merchant's integration and setup may have unique requirements, some common changes will likely apply to most ECOM merchants.
Requirement 6.4.3: Securing scripts on payment pages Scripts on payment pages must be carefully managed to prevent malicious execution. This includes implementing methods to authorize and ensure the integrity of each script. Additionally, maintaining an inventory with justifications for the necessity of each script is required.
Requirement 11.3.2: Regular external vulnerability scans Organizations must perform external vulnerability scans conducted by a PCI SSC-approved scanning vendor every three months. Regular scans are essential to identify and address vulnerabilities in externally facing servers, protecting against potential attacks. While four passing scans within 12 months are not initially required, subsequent years mandate passing scans at least every three months. This requirement is effective immediately.
Requirement 11.6.1: Detecting unauthorized changes This requirement mandates deploying change- and tamper-detection systems on payment pages. The goal is to prevent man-in-the-middle attacks and unauthorized modifications. By comparing current and known versions of HTTP headers and page content, merchants can detect suspicious changes that may indicate skimming attacks. Violations of Content Security Policy (CSP), website loading inspection, and tamper-resistant script embedding are among the mechanisms that help identify unauthorized modifications. Merchants must implement these measures and run them at least weekly to ensure the security of critical web pages.
How to prepare
To maintain PCI DSS compliance, merchants must take proactive steps. Familiarizing themselves with the changes in PCI DSS v4.0 is crucial, enabling organizations to prepare for a seamless transition. Regular gap assessments are recommended to identify areas that require improvement. Early planning is key to being able to address any gaps before a formal validation is required.
At Adyen, our diligent efforts have led us to be one of the first in the industry to be certified against the latest standard, showcasing our dedication to ensure a secure payments ecosystem.
Prioritizing security as a continuous process It's important to treat PCI DSS as a continuous effort, not just a yearly checklist, because security threats are increasing. A PCI Self-Assessment Questionnaire (PCI SAQ) or Report on Compliance (RoC) is how merchants show they are following security measures to protect cardholder data and meet PCI requirements.
Documents expire after one year after the signing date. Due to the growing threat of attacks, we encourage a year-round approach to PCI DSS, not just a yearly checklist. By prioritizing year-round security, organizations can avoid repeating cycles of short-term compliance and subsequent lapses
Another way to prioritize security as a continuous process is to conduct regular staff training to educate employees about the importance of PCI DSS and their role in securing payment data. By making it part of the organizational culture, it enables swift detection, reporting, and correction of control failures.
Ready? Let’s go!
Implementing PCI DSS compliance may appear daunting, especially without an established framework to safeguard account data effectively. Not to worry! We are available to provide guidance and support. Feel free to consult us about the updates, or reach out if you have any questions in the meantime.
For a deep dive into the new requirements, we have two available resources for you to check out: