Credit cards are one of the most common ways an attacker can target an organization. Data breaches and credit card fraud can occur frequently, and protecting credit card data has become a key priority for organizations in retail and FinServ especially.
That’s why the Payment Card Industry Data Security Standard (PCI DSS) emerged in 2004. It is a set of requirements that aims to ensure any organization that processes or stores credit card information, can do so securely. Those requirements are continually updated, and the latest version – PCI DSS 4.0 – was revealed in 2022. But, full enforcement goes into effect March 31st, 2025. So how does PCI DSS 4.0 differ from previous versions, and how can you ensure your organization is ready for the changes?
PCI DSS 4.0 = The Next-Gen of PCI Compliance
PCI DSS 4.0 was brought in to address changes in behaviors around the use of credit cards over the past few years. The pandemic created a large spike in online payments and ushered in widespread use of Point of Sale (PoS) machines, so there was a significant increase in the volume of credit card data. And with much of this data stored on cloud platforms, there are additional opportunities for attackers to target.
The good news for organizations that struggle with PCI compliance is that the 12 core PCI DSS requirements have not fundamentally changed with PCI DSS 4.0. The main difference is that the requirements now focus on security objectives to guide how security controls should be implemented.
The main goals for PCI DSS 4.0 can be summarized as follows:
- Ensuring the standard meets the security needs of the payments industry;
- The promotion of security as a continuous process;
- Enhancing validation methods and procedures.
One of the most critical changes concerns the need for stronger authentication requirements, including expanded applications for encrypting cardholder data, an area in which Fortra has a hugely effective proposition.
How Fortra's Clearswift Secure Email Gateway Appliance Can Help Prepare for PCI DSS 4.0
Many areas of potential PCI vulnerability – email correspondence, social media, 'contact us' web forms, chat platforms – expose customers and organizations to undue risk and error. In each case, payment card data is distributed through an organization and needs to be contained, secured, and managed within PCI DSS guidelines. This is where a Secure Email Gateway appliance like Clearswift’s comes in handy with its Adaptive Redaction technology that automates the scanning and redacting of payment card detail before it even enters the organization by replacing sensitive credit card data with hashes. This functionality also removes information that has been hidden; for example, in a hidden column or row in a spreadsheet that contains PCI data. Because of the OCR scanning, this even includes payment card information sent as scanned images or photographs.
Furthermore, How Fortra's Agari DMARC Protection Can Deliver More PCI-Proof Compliance
While the on-premise SEG approach is an effective component in ensuring PCI DSS 4.0 compliance, unfortunately it only detects and removes the information that breaks PCI DSS guidelines, allowing the rest of the message to go ahead unhindered. This, also called a 'stop and block' method, only ensures that there is no break in communication. While PCI DSS 4.0 warnings started getting issued at the end of 2023, you need to know that organizations must be fully compliant by March 31st, 2025! Specifically, Section 5.4.1 of the guidelines encourages organizations to "consider a combination of approaches". To satisfy this directive, the SEG's Adaptive Redaction capability can be coupled with another anti-phishing mechanism can defend against advanced attacks.
Enter Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication protocol that identifies and quarantines malicious emails, and prevents fraudulent use of legitimate brands. A DMARC record provides anti-spoofing protection by using DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records to validate messages. And when you set up all of these protocols, you can rest assured that you are safeguarding your brand from spoofing or fraud when you set up a p=reject policy.
If you do not already have these authentications in place, the time to start is now so you will have your DMARC ducks in a row for the March 2025 deadline. Fortra can simultaneously implement a full DMARC solution for you, even if you’re starting from scratch. The system scans the web and your DMARC reports to proactively identify and shut down spoofing attempts and lookalike domain attacks.
So book a DMARC demo and you can be on your way to achieving PCI DSS 4.0 compliance TODAY!
Get more information
PCI DSS 4.0 is essential legislation, and non-compliance can result in a significant financial penalty or long-term damage to a brand. We've focused on this in more detail in our new report, "PCI DSS 4.0 – What Is Best Practice?"