PCI DSS 4.0 is coming: how to prepare for the looming changes to credit card payment rules

New credit card payment processing rules will tighten security and offer more flexibility for enterprises. While they won’t come into full effect until 2025, experts say there are significant changes and recommend that consumer-facing business start getting ready for compliance now.

For enterprises that handle credit card data, which means just about every consumer-facing company, payment processing is a mission-critical system that requires the highest levels of security.

The volume of transactions conducted with general purpose credit cards (American Express, Discover, Mastercard, Visa, UnionPay in China, and JCB in Japan) totaled $581 billion in 2021, up 24.5% year-over-year, according to the Nilson Report.

However, credit card issuers, merchants, banks, and third-party transaction processors lost $28.58 billion to credit card fraud in 2020, which comes to nearly 7 cents per $100 in purchase volume. And the Nilson Report projects credit card losses will exceed $400 billion over the next 10 years.

[ Learn 8 pitfalls that undermine security program success and 12 tips for effectively presenting cybersecurity to the board. | Sign up for CSO newsletters. ]

In an effort to reduce those losses and keep pace with the rapidly evolving threat landscape, global standards body the Payment Card Industry Data Security Standards Council (PCIDSSC) has issued a major upgrade to its rules governing how credit card data is to be stored, processed and protected.

Full PCI DSS 4.0 compliance required by March 2025

The new regulation – PCI DSS 4.0 – was unveiled in March 2022. The current standard, PCI DSS 3.2.1, will remain in effect until March 2024, when it will be officially retired. There will be a transition period, then organizations will need to be fully compliant with 4.0 by March 2025.

That might seem like a long lead time, but experts say enterprises shouldn’t put off their PCI DSS 4.0 compliance efforts until the last minute. The new regulations represent a significant change. The PCI DSS 4.0 document runs to 360 pages and covers everything from extremely specific items, such as requiring the minimum length of passwords be increased from seven to 12 characters, to general guidance on procedures and policies.

“This is a big deal,” says Marc Rubinnaccio, senior compliance manager at Secureframe, which helps companies automate their compliance efforts. “It is the latest major iteration of the PCI DSS standard and implements significant changes in requirements to focus on maintaining continuous security plus new methods to meet those requirements.”

The new regulations touch on every aspect of security, including firewalls, anti-virus software, network segmentation, multifactor authentication, encryption, access control, active monitoring, intrusion detection, and incident response.

For full article, plase visit: PCI DSS 4.0 is coming: how to prepare for the looming changes to credit card payment rules | CSO Online