Protecting Against Emerging Threats: What You Need to Know About PCI DSS v 4.0's New Controls

February 24, 2023
Posted by: Gradeon
Category: Compliance

As online transactions grow in popularity, secure payment systems have become increasingly vital. As a result, organisations must comply with Payment Card Industry Data Security Standards (PCI DSS) to ensure these transactions are safe and secure. The latest version, PCI DSS v 4.0, was released in 2022 and included several new controls that must be implemented to enhance security.

One of the most significant changes in PCI DSS v 4.0 is the increased focus on risk management. Organisations must now conduct a comprehensive risk assessment to identify potential vulnerabilities in their payment systems. The assessment should include internal and external risks, such as those posed by employees, third-party vendors, and cybercriminals. Organisations must also implement risk-based approaches to address these vulnerabilities and ensure they have the appropriate controls.

Another new requirement in PCI DSS v 4.0 is protecting payment data at rest, in transit, and use. Organisations must use encryption to protect sensitive data, including cardholder information, from unauthorised access. The new standard also requires organisations to implement multi-factor authentication (MFA) for all non-console access to cardholder data. MFA is an essential security measure ensuring only authorised users can access sensitive data.

Organisations must also implement additional controls to protect against emerging threats such as phishing, malware, and ransomware attacks. One of the new controls is implementing rules that can detect and prevent ransomware attacks. Ransomware attacks are one of the most significant threats facing organisations today, and they can have devastating consequences. Therefore, the new standard requires organisations to have a ransomware response plan and to test it to ensure its effectiveness regularly.

Another new control is the need to implement controls to protect against supply chain attacks. Supply chain attacks are becoming increasingly common and can be difficult to detect and prevent. The new standard requires organisations to conduct due diligence on all third-party vendors and suppliers to ensure appropriate security controls are in place. Organisations must also monitor these vendors and suppliers for suspicious activity.

PCI DSS v 4.0 also places a greater emphasis on the need to maintain a secure network. Organisations must implement controls to monitor network traffic and detect unauthorised access or activity. The new standard requires organisations to have a network segmentation strategy to isolate cardholder data and prevent unauthorised access. Organisations must also implement controls to prevent and detect any unauthorised wireless access.

Another new requirement in PCI DSS v 4.0 is implementing controls to protect against physical security threats. Organisations must implement controls to protect against physical theft or unauthorised access to cardholder data. The new standard requires organisations to have a physical security plan that includes access control, video surveillance, and alarms.

Finally, organisations must implement controls to prepare for a data breach. The new standard requires organisations to have an incident response plan outlining the steps they will take in case of a violation. Organisations must also regularly test this plan to ensure its effectiveness.

In conclusion, PCI DSS v 4.0 includes several new controls that organisations must implement immediately to enhance the security of their payment systems. These controls focus on risk management, the protection of payment data, the detection and prevention of emerging threats, the maintenance of a secure network, the protection against physical security threats, and the preparation for a data breach. Organisations that fail to comply with these new controls risk facing severe consequences, including financial penalties, reputational damage, and legal action. To mitigate these risks it’s advisable for organisations to take the necessary steps to comply with PCI DSS v 4.0 and protect their customers’ payment data. Speak to one of Gradeons’ consultants…

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Protecting Against Emerging Threats: What You Need to Know About PCI DSS v 4.0’s New Controls

Consulting Services

Compliance Services

PCI Services

Cyber Services

Products

How can we help you?