Retailers are counting down the months to April 2024, the latest (and biggest) changes to the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 come into play. This update to the current PCI-DSS is the largest change since 2004 and will affect all organisations that store, process or transmit cardholder data, from e-commerce businesses to the public sector industry.

The new payments rules now carry 74 new requirements, with 62 controls that are applicable specifically for retailer or merchants. However, there two significant updates that retailers need to be aware of.

First, there is an increased focus on continuous compliance, which places an emphasis on maturing processes. With this enhanced standard, it is no longer enough to implement controls; their effectiveness and performance over time will need to be measured, reported and re-aligned to meet the standards.  

The second major update is that a “customised approach” is now available to meet requirements as opposed to the “defined-only” approach. Previously, the standard was very prescriptive, and retailers only had the option of applying the defined-only (literal) controls, whereas the new customised approach is available to retailers who have another approach of meeting the security objective of certain requirements.

How will retailers be impacted?

Payment credentials such as credit and debit card numbers are one of the most sought-after data types by external and internal cyber criminals, because it’s one of the easiest types to monetise. Malicious attackers are using new phishing tactics and malware to capture payment forms being processed from any website. This data can be used in several ways – either using the number to make false purchases or selling it to other cyber criminals to create new digital identities and commit online fraud and scams.

Retailers are naturally at the forefront of accepting payment and credit card details from customers and are seen as a honeypot of valuable data for cyber criminals. According to Verizon’s 2023 Data Breach Investigations Report (DBIR), social engineering attacks on the retail industry increased 16% to 29% in 2021. Credentials that are often used to hack into servers and load ransomware are also another top data type compromised in the retail industry. Malicious personnel are leveraging a range of new phishing tactics and “app data” malware that can capture credit cards being processed by web forms for payments. Security breaches in the retail industry can be particularly damaging, resulting in lost customer confidence, bad press and declining profits.

As a result of these specific threats and vulnerabilities in the payment industry, there are new and enhanced technical requirements There are a number of additional security factors included in the updated PCI DSS 4.0 that may impact the retail industry. Fiirstly, the requirement to have an anti-phishing solution is a new control in Requirement No. 5 as well as the requirement to protect web applications through the use of Web Application Firewall (WAF) is now mandatory (as opposed to being optional). Secondly,  Requirements 7 & 8 now requires Multi Factor authentication (MFA) across all access to the PCI environment. Finally, password length has been changed from 7 to 12 characters; and a review of all accounts/privileges is now a mandatory requirement.

How to plan the updates (if you are not already underway)

There are two timelines for the new compliance measures. The first is that the standard will be fully enforceable by April 2024. However, retailers will still have a year (up to April 2025) to implement future-dated controls.

While retailers should have already started planning for the new standard, the first thing to do is immediately complete a PCI Business Impact Analysis and implement a roadmap as soon as possible.

Rokon Zaman (Verizon Cyber Security Consulting).

While there is additional time given until April 2025 to implement some of the technical controls, retailers will need to properly design, allocate budget to technology and resources for the updates. This includes – increasing MFA coverage; upgrading endpoints security systems to include anti-phishing solutions – on top of this, security awareness training is to be updated and rolled-out and finally, determining the cultural and resource impact of upgrading operational processes.

The new standard provides for some flexibility in its customised approach, which enables retailers to design their own security controls and testing procedures. However, with this flexibility comes the need for a high degree of competence and maturity in terms of risk management and assessment both from the entity’s Risk Management Team and from the QSA.

Verizon’s Payments Security Report – turning the 5 key messages into actionable strategies

Verizon Business recently released the 2023 Payment Security Report Insights, which guides retailers on the critical areas they will need to address in their security management program design to not only meet the deadline, but to set an organisation up for long term success.

This includes the role of PCI security integration into larger corporate governance, risk management, and compliance initiatives as well as the tools needed for modern program design.

Compliance is often seen as an added complexity to an already challenging task of securing digital payments in the face of evolving threat actor capabilities. Fortunately, highly effective methods to achieving payment security compliance exist and are outlined in the Verizon Payment Security Report, not only helping to make PCI DSS v4.0 outcomes highly predictable, but moreover allowing organisations to achieve breakthrough performance enhancements in security program design.

The 2023 PSR helps to guide organisational leaders through designing and managing a PCI security compliance program, offering adaptable models for organisations to use. The report also notes leading management methods for identifying and overcoming the most significant constraints, providing a process for clarifying root causes of poor security program performance.

Its five key messages are:

  1. As ecommerce and PCI DSS requirements evolve, so too should security programs. Retail organisations should take advantage of this time not just to implement the standard as a literal practice but also an opportunity to revisit the effectiveness of your cyber security practices.
  2. Data security and compliance success is achieved by design, not luck – retailers will not survive by taking a “trial and error” approach. Success on this standard is best achieved “by design” – actions should be deliberate and intentional such as following clearly designed process; having a clear focus and objective; making sure teams work in a systematic and methodical manner.
  3. Leading management methods simplify program management complexity, helping organisations to be economic and achieve more with less – security controls should benefit the organisation, as there is a risk enveloped in each of these controls. By incorporating performance evaluations in management reviews, retailers will be able to identify constraints, identify root causes and look at lessons learned to improve technology, people and process.
  4. Retailers should design security programs to focus on what matters most and overcome the most important constraints – Implementing a mature security management program is not about procuring technology alone. Retailers should implement a proper structure and governance encompassing a wider scope of technology, operational procedures and people. Verizon’s PSR presents a toolbox that includes models, frameworks and best practice principles, that will help organizations in implementing a mature and sustainable security management compliance framework. The paper also briefly explains common program design mistakes to avoid.
  5. An integrated program management design can be applied to new programs and vastly improve existing programs – retailers should see this new security program holistically and not just as point requirement. For example, issues on security rules and policies are related to change management; issues on unauthorized access are related to management review approvals and security monitoring flows through incident management response. There are connections across each of the controls, and each serve to reinforce and strengthen each other when addressed and implemented properly. The new standard is designed to harness capabilities and establish better management of PCI programs.

Ferdinand Delos Santos and Rokon Zaman are leaders of payment security programs at Verizon Cyber Security Consulting in APAC.