When the Payment Card Industry (PCI) Security Standards Council announced version 4.0 of the PCI Data Security Standard (PCI DSS) back in March of 2022, it came with a two-year runway for organizations to become familiar with the new standards. Two years is a long time, and if history is any guide, many affected organizations will not take the updated standard seriously until right before PCI DSS 4.0 goes into effect in March 2024. Some will even wait until after the deadline to figure out what’s new and what they have to do to comply. Fortunately, it appears as though some are already asking about when training and exams for various certifications will be available. Keep your eyes peeled on the PCI Security Standards Council website for updates.
According to the PCI Security Standards Council announcement it does not appear that PCI DSS 4.0 will represent a major change from the current standard, PCI DSS 3.2.1, but there are a few notable updates, including:
- Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
- Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
- Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
- Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.
Flexibility to Achieve PCI DSS 4.0 Compliance
These changes give organizations different options for protecting payment card data, reflecting the availability of new tools and innovations for those organizations involved in the payment card transaction and management process. Flexibility is always a good thing since the market is dynamic and new techniques and best practices can advance faster than the industry can respond to with updates to their standards. And if the goal is better security for data and stronger privacy protections for consumers, that is a good thing.
PCI Security Standards Council SVP and standards officer Emma Sutcliffe said at the time that “PCI DSS 4.0 is more responsive to the dynamic nature of payments and the threat environment. [PCI DSS] 4.0 continues to reinforce core security principles while providing more flexibility to better enable diverse technology implementations. These updates are supported by additional guidance to help organizations secure account data now and into the future.”
Diplomat MFT is a Solid PCI DSS 4.0 Option
For our customers who rely on Diplomat MFT to help keep payment card data while transferring to various trading partners, we continue to be a solid option even when PCI DSS 4.0 goes into effect. Diplomat MFT supports user authentication, including multi-factor authentication schemes, ensuring compliance when MFA access goes into effect. What’s more, Diplomat MFT goes beyond the PCI DSS standard, automating file encryption using OpenPGP, supporting secure transport protocols like SFTP, and delivering complete process auditability to document every step of the transaction process. These elements are common requirements for every data security and privacy regulation around the world. Coviant Software has you covered.
We recommend keeping a close eye on the PCI Security Standards Council for updates on PCI DSS 4.0 as failure to comply with the new standard can come with serious negative financial consequences for organizations who don’t keep pace. Suspension of card processing privileges and fines of up to $100,000 per month are serious penalties. Also, while PCI DSS is an industry standard and not a regulation, many data security and privacy regulations cite PCI DSS compliance as a benchmark. And maintaining secure data management and transfer processes should be regarded as a standard business practice for any organization to minimize the risk of a data breach, which comes with its own headaches.
Coviant Software is Here for You
Diplomat MFT is engineered to be an essential element of any compliance program and to do what is needed—simply, efficiently, reliably, and automatically—to keep data safe. We are here for you now and when PCI DSS 4.0 takes effect next year. Meanwhile, if you’ve got questions about how secure managed file transfer software can help you comply with data security laws and standards, and manage data more safely and efficiently, contact us for answers or to schedule a demonstration.