Making the Shift to PCI v4.0

Change is a constant, especially when it comes to data protection standards. That’s why Nelnet Campus Commerce works hard to be prepared for upcoming changes as payment security standards seem to be in a state of change. Here are some updates on data security standards and what’s new with the PCI DSS v4.0 release.

Payment security is undergoing a transition as the Payment Card Industry Security Standards Council (PCI SSC) has rolled out updated standards to enable organizations to better protect payment information against ever-evolving threats.

As a Payment Card Industry Data Security Standard (PCI DSS) validated service provider, Nelnet Campus Commerce has watched this evolution all along, and is preparing for the rollout of the new PCI DSS standards. Becky Pollock, Nelnet Business Services Chief Payment Officer, notes the critical importance of PCI DSS adherence and validation. “The payments industry is constantly evolving, and unfortunately the fraudsters continue to look for ways to get to cardholder data. As a PCI DSS Level 1 service provider, we know the importance of our responsibility to protect this data and our clients,” she said.

The new PCI DSS standards will provide a comprehensive update that takes into account the diverse array of payment applications and software, as well as a range of data protection standards. The PCI SSC has revised the standards in a years-long process that included three Request for Comments periods, which drew over 6,000 individual comments from over 200 companies. With a customized approach, the ultimate goal was to create a security framework that allows organizations to use different means to achieve security objectives.

In March 2022, the newest version of PCI DSS, Version 4.0, was released. This has a multi-year transition period, during which time individual organizations can choose whether to assess at the earlier standard or the new standard. The old standard, v3.2.1, will be retired March 31, 2024, and v4.0 will become the only version available for use in validations.

The Payments Security Standards Council had four goals for the new requirements:

• Continue to meet the security needs of the payment industry
• Promote security as continuous process
• Add flexibility for different methodologies
• Enhance validation methods

Overall, these goals will help payment processors be more dynamic in how they meet the challenges posed by evolving security threats. For example, the standard will now require multi-factor authentication or stronger passwords for any system housing cardholder data, which can help reduce the risk of account information being stolen. Other requirements are aimed at preventing phishing and skimming attacks.

Organizations will have the flexibility they need to reduce risk in a variety of ways – and the PCI SSC won’t have to scramble to keep up rewriting overly narrow requirements. The emphasis on security as a continuous process is also important as it takes the protection of customer information beyond specific technical controls and encourages organizations to think critically about security in every role.

Want to learn more about PCI DSS? Read our blog: A QSA’s Top Seven PCI DSS v4.0 Critical Takeaways

Interested in cybersecurity awareness? Read our blog: 7 Ways to Engage in Cybersecurity Awareness