1.877.297.7816
Contact Us

PCI DSS
requirements
for banks:
Preparing for
PCI DSS 4.0

Author: Phil Muncaster

PCI DSS 4.0 is the most significant update since the Payment Card Industry Data Security Standard (PCI DSS) was introduced back in 2004. For nearly two decades the PCI Security Standards Council (PCI SSC), a global payment security forum, has required compliance with an ever-evolving set of technical and operational requirements designed to protect customer account data. It applies to all payment processors, so understanding PCI DSS requirements for banks is an important task for financial services chief information security officers (CISOs).

Organizations across the globe will be looking closely at the latest version of the standard which was designed to address emerging threats and to enable innovative methods to combat new threats to customer payment information.

Although the current version (3.2.1) will remain active for two years until it is retired in March 2024, PCI compliance is a complex undertaking, so there's no time to waste. 

Why is understanding PCI DSS requirements for banks important

The PCI DSS mandates a rigorous set of requirements for any organization that accepts, stores, processes, or transmits credit card information. The idea is that if organizations follow these, they will be more resilient to breaches of cardholder data. However, according to the 2020 Verizon's Payment Security Report (PSR), which has documented compliance trends in the payment security industry for more than a decade, the 2020 PSR found that only 27.9% of global organizations maintained full compliance with the PCI DSS, and there is a clear downward trend in PCI DSS compliance since its 2016 peak.

This highlights the continued challenges surrounding PCI compliance in banking. And at the same time, compliance has never been more important, in light of a fast-moving threat landscape. Over the course of the pandemic, financial institutions invested heavily in digital transformation. These investments increased the size of the corporate cyber-attack surface. This has created new risks, including:

  • Unpatched assets, such as home working endpoints
  • Misconfigured assets, such as cloud databases
  • Unsecured remote working infrastructure like legacy VPNs and remote desktop protocol (RDP) endpoints
  • Employees working from home who may be more willing to bypass security policy and engage in risky behavior
  • An expanded network of physical and digital supply chain providers featuring suboptimal security

Threat actors are quick to take advantage of such changes. One vendor detected a 1,318% year-on-year increase in ransomware attacks on the banking sector in the first half of 2021. According to the Data Breach Investigations Report (DBIR), Verizon’s annual publication that provides a deep analysis on global cybersecurity breaches, most threat actors targeting the industry last year were external, financially motivated, and focused on stealing personal and bank data as well as credentials. Alongside user error, basic web application attacks and social engineering represented the vast majority (81%) of breaches in the sector. The 15th anniversary edition of the DBIR is available May 24th, 2022, sign up to be notified here.

What's new in PCI DSS 4.0? 

After consulting the industry for three years, the PCI Security Standards Council (SSC) has created version 4.0 of PCI DSS to ensure it stays relevant as defensive measures and attack techniques evolve. The Council states that the update focuses on:

  • Promoting security as a continuous process
  • Increasing flexibility for organizations that use different methods to achieve their security objectives
  • Enhancing validation methods and procedures

A summary of the key changes from v 3.2.1 to v 4.0 can be found here. Some of those highlighted by the PCI SSC include:

  • An expanded range of acceptable network security controls used to meet the objectives traditionally met by firewalls
  • An expanded requirement to implement multifactor authentication (MFA) for all access into the cardholder data environment
  • Greater flexibility for organizations to demonstrate how they're using different methods to achieve security objectives
  • An addition of targeted risk analyses, which is designed to give banks, financial institutions, and other industries more flexibility in how frequently they perform certain activities
  • A new customized design approach 

How to approach PCI compliance

The sheer volume of information required to understand the impact of PCI DSS 4.0 can seem overwhelming. What is the right approach to identify the kinds of risks that PCI DSS was designed to mitigate? That's why Verizon publishes the PSR guide to track annual compliance by industry and region and make recommendations to help ease the complexity of PCI compliance and understanding of PCI DSS requirements for banks. This in-depth guidance focuses on how to prioritize, determine your goals and requirements, and remove constraints for continuous, sustainable compliance. Here are a few important points outlined in the report:

Security as a business-as-usual culture

PCI DSS 4.0 has a major focus on moving businesses from checkbox compliance with annual assessments to running continuous security processes, driven by sustainable goals and improved validation procedures. This will help to improve cyber resilience and help with collecting industry data like PCI DSS requirements for banks. Although control failures can still occur, they should be brief, quickly detected and rapidly corrected.

Take time to think

Banking security leaders need to carefully examine each updated requirement in PCI DSS 4.0 and what it means for their specific organization. Before assigning tasks, understand the scope of the project in terms of goals, requirements and constraints.

Consider a customized approach

PCI DSS 4.0 introduces enhanced validation methods and procedures, which enable banks to blend a traditional "defined only" approach with an objective-based, customized approach. The former will be familiar to any PCI-complying organization as one where required security controls must be implemented when applicable. The new customized option enables banks to use security approaches that may differ from traditional PCI DSS requirements, as long as they can show that controls meet the intent of the relevant requirement and can validate its effectiveness.

This enhanced flexibility means organizations can implement security without needing to wait for PCI DSS to catch up. Validation focuses on specific security outcomes, rather than a "must implement" approach.

Be cautious in adopting new approaches

Organizations must work with their Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to agree on and develop tailored testing procedures. They should look for blind spots and unintended consequences stemming from customized controls.

Understand goals, requirements and constraints

A comprehensive and sustainable design approach is key to averting unintended consequences, which could lead to a breach. To help with PCI compliance in banking, Verizon recommends banks apply a "Goals, Requirements and Constraints Model" to create an efficient, sustainable customized security approach. The PSR has a raft of detailed advice on how.

Learn more about PCI compliance in banking and how Verizon can bolster your cyber security strategy.

The author of this content is a paid contributor for Verizon.

FAQ

To ensure the standard stays relevant amidst technology, business and threat landscape changes.

It was published on March 31, 2022.

It goes into effect on March 31, 2024.