How federal and state government agencies can prepare for new PCI DSS compliance
Author: Christopher Tozzi
Public sector agencies that process credit and debit card transactions must abide by the Payment Card Industry Data Security Standards (PCI DSS) framework and maintain PCI DSS compliance. However, a new version of those regulations, PCI DSS v4.0, is set to take effect in 2024. These new regulations require agencies to adapt to updated and additional PCI DSS compliance requirements. This is the most significant update to the PCI DSS since its initial release in 2004.
What are the new requirements that will impact how government agencies collect and process credit and debit card transactions?
And what can public sector organizations begin doing to maintain compliance with PCI DSS v4.0?
What is PCI DSS?
The PCI DSS framework contains a catalog of baseline security requirements to help to develop and maintain a secure environment to protect payment card account data against unauthorized access and compromise.
Any organization—including businesses and public sector agencies—that accepts credit or debit card payments from companies such as Mastercard and Visa should comply with PCI DSS requirements. Failure to meet PCI DSS compliance rules can trigger significant fines, and it can eventually result in card processors choosing to block non-compliant organizations from accepting card payments altogether.
PCI DSS v4.0 is the latest set of requirements for the public sector
The release of PCI DSS v4.0 is the most substantial update to the PCI Standard in 17 years—since the release of DSS 1.0 in 2004. At first glance, organizations will notice several significant changes introduced by PCI DSS v4.0. While v4.0 doesn’t alter the fundamental structure of the PCI Standard, and PCI DSS v4.0 still has the familiar Control Objectives and 12 Key Requirements introduced in 2006, the new version enacts multiple changes to reflect the aims of evolving objectives and requirements.
The PCI DSS v4.0 was released in 2022 and take effect in March 2024, with some requirements not mandated until March 2025.
PCI DSS v4.0 includes dozens of new or updated security requirements that did not exist in earlier releases of the Standard.
Ten significant PCI DSS v4.0 requirement changes
- Disk- or partition-level encryption is no longer enough
- Anti-phishing solution is required
- A web application firewall (WAF) is required
- Multi-factor authentication (MFA) requirements updated
- A cryptographic key is required for stored hash values
- Certificates protecting cardholder data (CHD) must be signed by a valid certificate authority (CA)
- Enforcement of integrity controls for payment page scripts is required
- Hardcoded passwords for applications are not permitted
- Authenticated vulnerability scans are required
- Application/System account passwords must expire
Here are some of the changes most likely to impact public sector organizations.
PCI DSS v4.0 Requirement 5.4.1 mandates that organizations take steps to mitigate the risk of phishing.1 Phishing attacks—in which threat actors impersonate legitimate personnel in a bid to trick employees into handing over sensitive information—present a particular risk for public sector agencies because the names and contact information of public organization employees are often readily available through websites or public databases. This makes it particularly easy for attackers to identify employees that they can attempt to impersonate and then target as part of a phishing campaign.
In response to this risk, implementing both training and tools can help public sector agencies meet the new anti-phishing requirements of PCI DSS v4.0. Public agencies should ensure that they train their personnel to recognize and resist phishing attacks. In addition, installing anti-phishing tools within IT systems can help to mitigate phishing risks by detecting suspicious communications sent to public employees via email, text or other systems.
According to Requirement 6.3.2, which takes effect in March 2025, organizations must "maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management."2 Here again, this requirement is likely to pose a special challenge for government agencies, which, according to the website Government Technology, have historically struggled to maintain vigorous patch management programs and keep software up-to-date. Agencies will likely need a more systematic approach to patch management. They may need to implement new tools and processes to ensure they know the hardware and software assets they have, when patches are available for their software and how they can quickly apply patches to minimize the risk of vulnerabilities that attackers could exploit.
Web application security
Another new rule that goes into effect in March 2025—Requirement 6.4.2—mandates that organizations deploy cybersecurity software that "continually detects and prevents web-based attacks" against web applications.3 Some public sector agencies may already have this type of solution in place to protect their websites. Those that do not may need to build stronger defenses in order to comply with PCI DSS v4.0. This requires them to first understand the multiple causes of security breaches against web applications—which include malicious hacks, malware, social engineering and other types of risks. Once the causes are understood, these agencies must then implement tools that can keep their applications safe—such as performing web application vulnerability scanning, web application firewalls, SQL injection attack scanners and cyber risk monitoring.
Stronger network security
In addition to enhancing application security, the new PCI DSS requirements include updated network security rules. Keeping certificates up to date has long been a network security best practice, but public sector agencies sometimes struggle to manage their certificates systematically and update them continuously. Going forward, it will be essential to correct certificate management weaknesses in order to maintain PCI DSS compliance. According to Requirement 4.2.1, all organizations must maintain up-to-date digital certificates to help authenticate secure devices that connect to their networks and that secure CHD in transit.4