Are You Ready for PCI DSS 4.0?

The PCI Security Standards Council issued version 4.0 of the PCI Data Security Standard (PCI-DSS) on March 31, 2022. PCI-DSS v4.0 replaces PCI-DSS version 3.2.1 to address emerging threats and technologies and provide innovative ways to combat new threats.

It’s worth noting that PCI-DSS v3.2.1 will be retired on March 31, 2024. The pressure is on for organizations to ensure they meet the new compliance requirements established in PCI DSS v4.0.

There are sixty-four new requirements in PCI-DSS v4.0. Some of these requirements are effective immediately for all PCI-DSS v4.0 assessments, but most of these remain best practices for now and will not come into effect until March 31, 2025.

The twelve core PCI-DSS requirements did not fundamentally change with PCI-DSS v4.0, and they remain the critical foundation for securing payment card data.

However, the requirements were redesigned to focus on security objectives and to guide how security controls should be implemented.

What is New in PCI-DSS v4.0?

The goal of the updated security payment standard is to “address emerging threats and technologies and enable innovative methods to combat new threats,” per the PCI Security Standards Council. Some of the key high-level objectives are:

1) Continue to meet the security needs of the payments industry.

Why it’s important: Security practices must evolve as threats change.

Examples:

  • Expanded multi-factor authentication requirements
  • Updated password requirements
  • New e-commerce and phishing requirements to address ongoing threats

2) Promote security as a continuous process.

Why it’s important: Criminals never sleep. Ongoing security is crucial to protect payment data

Examples:

  • Clearly assigned roles and responsibilities for each requirement
  • Added guidance to help people better understand how to implement and maintain
  • security
  • New reporting option to highlight areas for improvement and provide more
  • transparency for report reviewers

3)  Increase flexibility for organizations using different methods to achieve security objectives.

Why it’s important: Increased flexibility allows more options to achieve a requirement’s objective and supports payment technology innovation.

Examples:

  • Allowance of group, shared, and generic accounts
  • Targeted risk analyses empower organizations to establish frequencies for performing certain activities
  • Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives

4) Enhance validation methods and procedures.

Why it’s important: Clear validation and reporting options support transparency and granularity.

Example:

  • Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

Verify Elite:

The Complete Solution for File Integrity Monitoring & Compliance

Verify Elite® is the complete NonStop compliance and file integrity monitoring solution. It ensures that your NonStop System’s security (Guardian & OSS) meets industry standards and regulations such as PCI DSS, SOX, and GDPR, and is specifically designed to monitor changes to files and generate compliance reports.

Verify Elite’s recent enhancements include a simplified user interface, which makes it easier for you to address the critical file monitoring and compliance reporting requirements for PCI/GDPR. We’ve also added helpful tips across the product and made it even more intuitive to use.

Enhanced UI

Verify Elite’s Security Compliance Monitor can ensure your compliance with regulations and internal security policies by performing regularly scheduled compliance checks.

And by executing regularly scheduled file integrity checks, Verify Elite’s File Integrity Monitor ensures that any unauthorized changes are immediately identified and reported.

Guardian Result History Screens

What’s New in Verify Elite 2.40

Some key features included in the latest release of Verify Elite are the new “Binder Timestamp” flag for Guardian File Integrity Check and the EMS logging options.

Key Features:

  • Pre-built customizable compliance rules
  • Monitors both Guardian & OSS files
  • Detailed compliance reporting
  • Intuitive GUI makes compliance checking & audit reporting easy
  • Meets PCI-DSS regulation 11.5
  • Easily integrated with enterprise security tools
  • Real time notifications with Alert-Plus
  • Multi-Node Fileset Compare

The regular comparison of fileset across nodes should also be a part of the process to ensure the integrity of your files. Verify Elite’s Multi-Node Fileset Compare feature permits the comparison of filesets located either locally or across NonStop nodes. For example, files that are replicated to backup environments need to be regularly compared to production files to ensure their integrity.

Guardian Fileset Result Compare

 

CSP – Compliance at your Fingertips ®

 

For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com

We Built the Wiki for NonStop Security ®

The CSP Team      

+1(905) 568 –8900