In 2022, version 4 was presented to replace version 3.2.1 of the PCI DSS standard of the PCI SSC. Although the 12 requirements are still in force, some changes of different natures were introduced. The main objectives of these updates are to optimize control and validation techniques to obtain clarity in compliance information, promote the use of security in all phases of the processes, improve security practices and provide flexibility and integration with other methodologies.
Among the main innovations established by the standard, stricter authentication management, risk assessment and monitoring can be identified through automated event detection processes, testing and vulnerability scanning, among others.
The 12 requirements already known and established are still present and are the fundamental pillar of the standard. However, organizations are expected to mandatory implement some aspects that, until the previous version, were considered good practices and with v.4 will be mandatory from 2025:
-Implement anti-malware solutions that perform scans on removable media or behavioral analysis of systems.
-Implement technology to detect and block phishing attacks.
-Use WAF technologies.
-Conduct semi-annual user reviews.
-Implement solutions for dynamic analysis of account security.
-Use automated mechanisms to perform audit log reviews.
-Have the ability to detect failures in network equipment, IDS/IPS, FIM, AV, physical access controls and segmentation controls.
-Perform authenticated internal scans.
-Have IDS/IPS in covert malware communication channels.
-Implement technology to detect unauthorized changes to HTTP headers and payment page contents.
-Create awareness programs to prevent phishing and social engineering attacks.
-Have mechanisms to detect out-of-range PAN.
INSSIDE Cybersecurity has a team of experts in the PCI DSS standard and auditors who accompany organizations in aligning and complying with the standard to achieve audit success.