PCI DSS might sound like just another acronym, but if your business stores, handles or transfers payment card data, it’s important that you keep abreast of these regulations and any changes.
Last year the PCI Security Standards Council announced PCI DSS 4.0 to the industry, meaning many business policies and practices will need to be reviewed to ensure compliance. For those not in the know, the PCI Security Standards Council is made up of several financial institutions, including Visa, MasterCard and American Express, and exists to manage the evolution of the PCI DSS. The Council explained that 4.0 will “address emerging threats and technologies and enable innovative methods to combat new threats”.
While 4.0 was officially introduced last year, it is currently only ‘best practice’ until it becomes a legal requirement in March 2025. And although that is 2 years away, the full affect of the changes could involve significant operational changes, so now is a great time for businesses to start exploring what they need to do in order to comply.
We won’t bore you with the full list of changes being introduced as part of the new regulations, but our experts have been through them thoroughly, and picked out some of the stand-out points for businesses to consider.
Embrace new technologies
Businesses are encouraged to customise their approach to their specific business requirements, and to embrace new technologies and innovations, provided they meet their needs and the 4.0 objectives.
Bolster password security
In an ongoing effort to improve security, 4.0 includes new password requirements:
- Passwords must expire after 90 days
- Users are locked out after 30 minutes of inactivity
- Password length must be 12 or more characters
- Maximum 10 failed attempts before lock out
- Combination of numeric and alphabetic characters
- Password cannot match the 4 previous passwords
Risk assessment documentation
An annual risk assessment must take place, and must be documented where it can easily be reviewed upon request by the Council assessors.
Roles and responsibilities
Specific roles and responsibilities must be assigned, and understood. This should all be documented and available for review upon request.
Fit for purpose cyber security
As part of their cyber security solution, businesses must have automation in place to detect and prevent web-based cyber-attacks.
If you have any questions about these regulation changes, or would like to discuss how to ensure your business is compliant, please reach out to our experts.