The PCI Security Standards Council (PCI SSC), a global payment security forum, published version 4.0 of the PCI Data Security Standard (PCI DSS).
PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.
The current version of PCI DSS (v3.2.1) will remain active for two years until it is retired on 31 March 2024. Once assessors have completed training in PCI DSS v4.0, organizations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1. The standard also provides additional time for organizations to implement many of the new requirements.
Updates to the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures.
Examples of the changes in PCI DSS v4.0 include:
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
Documents
0 comentarios