Securing Payments: What to Know About PCI-DSS 4.0

Announcer  00:00

Craig, welcome to the Treasury Update Podcast presented by Strategic Treasurer. Your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Craig Jeffery  00:18

Good day and welcome to the Treasury Update Podcast. This is Craig Jeffery. I’m your host for today’s episode. It’s part of a series on payment rail and payment messaging standards. This is where we look at things like Swift, CSP, payment card industry, data security standards, some of the different payment rails that require companies that are on these rails to protect their data, ensure that people are trained in an effort to not only protect confidential information, but the integrity of those payment systems. And I’m joined again by a colleague from strategic treasure, Christin Cifaldi. Christin, welcome again.

Christin Cifaldi  01:00

It’s great to be on again, Craig.

Craig Jeffery  01:01

Christin is the Director of Product Development and Analytics at our firm. So glad to have you here. Christin, so so PCI DSS stands for Payment Card Industry Data Security Standards. I know you’re going to go through some numbers, so I’m interested to hear what eight, 612, and 57 mean. Eight, 612, and 57 what are the standards that we’re talking about here?

Christin Cifaldi  01:25

So PCI issues a family of eight standards, which includes the PCI DSS data security standards. And so that’s the eight, Craig, we’ve got the eight standards, and here today, we’re only talking about data security. We aren’t going into any of the other seven. PCI DSS consists of six objectives and 12 principles.

Craig Jeffery  01:50

So we’ve got our eight, six and 12 so far. So the PCI DSS has six objectives. Maybe you could explain what those are and what they mean to people who are involved in payments.

Christin Cifaldi  02:02

Yeah, so the first objective is building and maintaining a secure network and systems related to the transference of payment data and user data, or, sorry, cardholder data, on those systems. And the principles behind this would be installing and maintaining network security controls and applying secure configurations to all system components, so working with your IT and cybersecurity departments to tighten up that network security and to document it. So a big thing with PCI, DSS and ensuring compliance if you have an audit, is everything needs to be written down and it needs to be shared with all relevant parties. So everything that’s touching these payments needs to be aware. Excuse me, everybody who’s touching the payment systems needs to be aware of what’s going on.

Craig Jeffery  02:55

The second one that you mentioned, the second principle within that first objective, was applying secure configurations to all system components this. This probably means, at a minimum, not using the default password. It probably means.

Christin Cifaldi  03:07

Yes, yes, yep. So no, no default passwords, you know, no unnecessary ports, not keeping the ports open, yeah, not keeping ports open for access. And then also your, your usual making sure that there’s firewalls in place, they are updated, that there’s malware software installed that’s tracked and updated regularly.

Craig Jeffery  03:30

So the proof of the pudding is in the testing there, right? So that’s number one. What’s what’s number two from an objective standpoint of the six.

Christin Cifaldi  03:37

Number two is protecting cardholder data under the new standards, you’re required to protect all stored account data and cardholder data with strong cryptography during the transmission of this data over open, public networks.

Craig Jeffery  03:52

And the third is.

Christin Cifaldi  03:54

Third is maintaining a vulnerability management program. So here we’re talking about protecting systems and networks from malicious software and developing and maintaining secure systems and hardware. They these things do sound like they’re very repetitive, and the point is to just really hammer home that you need to be extra diligent in limiting your exposure to anything like malicious software cyber attacks, and that the best way to help prevent this is to put controls in place and just lock everything down.

Craig Jeffery  04:29

Yeah, so one in three sounds similar in a way, because it’s secure networks and systems, and the other is a management program. So it’s two different ways of looking at the same area. One is the setup, I guess, and the systems, and the other is continual review. What’s number four?

Christin Cifaldi  04:43

Number four is implementing strong access and control measures. So here is where we’re going to get into the not using the standard passwords, right? We’re restricting access to system components and cardholder data by business need to know that principle of least privilege. We’re going to identify. Users and authenticate access to system components using multi factor authentication as an example. And we’re also going to restrict physical access to cardholder data, so securing the areas using card access and camera security where that data is stored, particularly in the IT area, if it’s on any local servers,

Craig Jeffery  05:24

The fifth one has to do with monitoring.  What’s number five?

Christin Cifaldi  05:28

Five is regularly monitoring and testing networks. So constant logging and monitoring all access to system components and cardholder data allows for auditors or anybody internal to see when things were accessed. So if something goes wrong, we can know when we’re also monitoring. So we can see in maybe not real time, but we can definitely see when something goes wrong and start to review those logs pinpoint. We can automatically shut things down, put our incident response plan into effect if we’re noticing through monitoring, and it’s testing security of systems and networks regularly.

Craig Jeffery  06:09

All right, excellent, that’s five of the six. What’s number six?

Christin Cifaldi  06:13

Number six is maintaining an information security policy, supporting our information security teams with robust organizational policies and programs. And as I mentioned before, PCI DSS requires everything to be written down and shared with everybody touching the payment data. And if you didn’t write it down, you will get dinged on your audit.

Craig Jeffery  06:40

All right. So those are the those are the six objectives of PCI, DSS, but I want to do a quick review to make sure I have this exactly right, or that we’re communicating it exactly right. The Payment Card Industry Security Standards Council has a or the PCI element issues a family of eight standards, and we’ve been talking about one of those standards, which is PCI, DSS. Then we looked at those six objectives. And as you described those, you went through the 12, the 12 principles. What’s 5757

Christin Cifaldi  07:13

is the number of new controls being implemented in version four.

Craig Jeffery  07:19

That sounds bad. I mean, version four says it’s been around for a while, because they’re not making all these updates every year. 57 new requirements seems, shall we say, excessive. What are some of these standards? How do we get our minds around that large of a number for all things have to be implemented within this this time frame, so it’s a lot.

Christin Cifaldi  07:43

Yes, so the implementation deadline for PCI DSS version four is actually March 31 2024 to give PCI some credit, though, they did release version four in March 2022, and they provided two years for organizations to prepare and implement the 57 new requirements. So it sounds terrible, but there was some time also, in addition to those 57 new requirements, they did update seven existing requirements. So that brings the number up. Today we’ll be talking about two of the new requirements that we’ve identified as being of high importance. Obviously, 57 is we could do many, many podcasts covering all of that.

Craig Jeffery  08:30

No, no, that’s more like, that’s more like written material. Not going to talk to 57.

Christin Cifaldi  08:35

In depth training.

Craig Jeffery  08:37

One of those, I think you were talking about, was protecting all systems and networks from malicious software. This is an ongoing threat. What are some of the takeaways from that?

Christin Cifaldi  08:45

This is requirement five for those of you who like to refer back to the document. And so it’s very important to consistently scan your systems and your networks to protect them from malicious software. And so this section is essentially defining how often you should scan and what sort of procedures you should keep up and again, the written procedures they need to be documented, kept up to date, utilized and distributed to all effective parties. These would include defining roles and responsibilities for those performing the scanning for the malicious software, and that you know you’re ensuring anti malware solutions are deployed on all relevant system components. So anything touching those payments needs to have these anti malware solutions deployed. They need to detect all known. The keyword there is known types of malware, and it needs to be removed, blocked or contained. So you need to be able to document that this software that you’ve installed is regularly updated, and that it has the ability to remove, block or contain any issues that it finds we’ve. You mentioned the importance of periodic evaluations and the documentation of the outcomes, and then we’ve also gone over automatic updates. We don’t want to rely What if your cybersecurity folks are called out for another emergency? What if you only have one person because you’re a smaller company and they’re on vacation, you want to keep those solutions running on automatic updates and have a set time frame for scans that folks are aware of. Audit logs need to be enabled and retained. So a lot of documentation and automation here.

Craig Jeffery  10:41

That’s a lot, a lot of great information. Christin, you know? And so these, these 57 that number is, is huge, but many of these are overall security standards that are out there, you know. This the automatic updates that’s considered by CISOs and those that are in the security business to be one of the most effective ways of preventing issues, keep stay current on your on your software, and that’s, and there’s, there’s other updates, like making sure people are trained, update your software, your firewalls, test it, report it, check it. But also train, train your people. And there’s a, there’s a training requirement that people who are involved in, you know, overseeing accounting it all have, I have training requirements under PCI DSS as well.

Christin Cifaldi  11:28

That’s correct. That’s a good point, Craig. So a lot of these security protocols, not just PCI DSS, but for other agencies or entities that may have some oversight on your security or recommended controls. A lot of them are common sense, and you might already have them in place to the letter. So it can seem intimidating, but once you get your it, folks in, they could most likely just be, oh, we’re doing that already. Here’s my documentation, and it’s actually not as difficult or time consuming as you may think.

Craig Jeffery  12:00

Yeah, it might be very time consuming, but if you’ve done most of them, it’s or you have minor updates. It’s not like a complete blank sheet of paper as we wrap up the PCI, DSS session and overview, any anything that we should be thinking about how this changes over time? What do people need to do to stay current. Any other, any final thoughts?

Christin Cifaldi  12:24

Yeah, so PCI DSS will release amended versions of four. They aren’t planning on doing a massive overhaul into a version five in the immediate future, just making sure that we’ve got all of the version four things implemented and that we’re meeting the deadline, or we are at least aware of any any discrepancies that need to be remediated to meet version four standards.

Craig Jeffery  12:52

I thought we agreed to use the word anomalies, not discrepancies, discrepant anomalies.

Christin Cifaldi  13:00

So identifying any anomalies that need to be remediated.

Craig Jeffery  13:03

Anomalous discrepancies. Awesome. No, that’s great. Thanks. Thanks so much. Christin.

Christin Cifaldi  13:09

You’re welcome, Craig.

Announcer  13:18

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.