Public-sector agencies handling credit and debit card transactions are mandated to adhere to the Payment Card Industry Data Security Standards (PCI DSS) framework, ensuring PCI DSS compliance. However, a new version of these regulations, PCI DSS v4.0, is slated to be implemented in 2024. These updated standards necessitate agencies conforming to new and enhanced PCI DSS compliance requirements, marking the most significant revision since its inception in 2004. According to Manish Chaudhari , CISO of Cybernetic Global Intelligence, an internationally recognised cybersecurity firm and PCI DSS QSA service provider, the new version of PCI DSS will make the whole cybersecurity architecture resilient and strong.
Under PCI DSS, organisations, including businesses and public-sector entities, accepting credit or debit card payments (e.g., Mastercard, Visa) must comply with its requirements. Failure to do so can lead to substantial fines and the potential suspension of card payment acceptance. PCI DSS v4.0, the latest iteration, represents the most substantial overhaul in 19 years, introducing several noteworthy changes. Although the fundamental structure of the PCI Standard remains intact, v4.0 brings forth key modifications to align with evolving objectives and requirements.
Notable changes in PCI DSS v4.0 include:
>Disk- or partition-level encryption alone is insufficient.
>Implementation of an anti-phishing solution is mandatory.
>A web application firewall (WAF) is now a requirement.
>Multifactor authentication (MFA) requirements have been updated.
>Stored hash values must be protected by a cryptographic key.
>Certificates safeguarding cardholder data (CHD) must be signed by a valid certificate authority (CA).
>Enforcement of integrity controls for payment page scripts is mandatory.
>Hardcoded passwords for applications are prohibited.
>Authenticated vulnerability scans are obligatory.
>Application and system account passwords must have expiration policies.
Preparing for PCI DSS v4.0 involves strategic steps such as conducting a Cybernetic Global Intelligence PCI DSS compliance assessment, notably by PCI compliance auditors, which identifies security weaknesses and aligns with compliance expectations.
Below are some of the changes that are likely to have an impact on public-sector organisations:
Anti-phishing Measures
The latest PCI DSS v4.0 Requirement 5.4.1 necessitates organisations to mitigate phishing risks. Phishing attacks, where malicious actors impersonate legitimate personnel to deceive employees into revealing sensitive information, pose a significant threat to public-sector agencies. Public employees’ names and contact details are easily accessible through public databases, making it easier for attackers to identify and target them. To combat this, public agencies should provide training to recognise and resist phishing attempts. Additionally, implementing anti-phishing tools within IT systems can detect suspicious communications sent via email, text, or other platforms, thereby reducing phishing risks.
Patch Management
Starting March 2025, Requirement 6.3.2 mandates organisations to maintain an inventory of custom software for effective vulnerability and patch management. Government agencies face challenges in keeping software up-to-date. To address this, agencies must adopt a systematic approach to patch management, possibly incorporating new tools and processes. This approach ensures they are aware of their hardware and software assets and available patches and facilitates timely patch application to minimise vulnerability risks.
Web Application Security
Requirement 6.4.2, effective March 2025, obliges organisations to deploy cybersecurity software that detects and prevents web-based attacks on web applications. Public-sector agencies lacking such solutions need to strengthen their defences to comply with PCI DSS v4.0. Understanding the various causes of security breaches, including hacks, malware, and social engineering, is crucial. Agencies must implement a host of cybersecurity tools. These may include web application vulnerability scanning, SQL injection attack scanners, web application firewalls, and cyber risk monitoring to secure their applications effectively.
Network Security Enhancement
Apart from bolstering application security, updated PCI DSS requirements include enhanced network security rules. Keeping digital certificates up-to-date is a longstanding best practice. However, public-sector agencies often struggle with systematic certificate management and continuous updates. Addressing these weaknesses through PCI compliance auditors is important for PCI DSS compliance. According to Requirement 4.2.1, organisations must maintain current digital certificates to authenticate secure devices connecting to their networks and secure cardholder data (CHD) during transit.
Conclusion
As PCI DSS v4.0 is set to come into practice in 2024, public sector enterprises need to make major changes to their security standards in key areas. These include patch management, credit card processing, web app security, anti-phishing, network enhancements, and web app security. The PCI DSS security standards are applicable to all system elements within or linked to the cardholder data environment (CDE).
The CDE comprises individuals, procedures, and technologies that process, store, or transmit cardholder data or sensitive authentication data. If you want your organisation to become PCI compliant in view of its new variant becoming operational in 2024, get in touch with Cybernetic Global Intelligence, a certified PCI DSS QSA service provider. To know more, contact us at 1300 292 376 or via email at contact@cybernetic-gi.com or visit our website https://www.cyberneticgi.com/