Thales Blog

The Clock is Ticking for PCI DSS 4.0 Compliance

September 19, 2023

Emily Richuso Emily Richuso | Senior Product Marketing Manager, Thales More About This Author >

It is essential for any business that stores, processes, and transmits payment card information to comply with the Payment Card Industry Data Security Standard (PCI DSS). Consumers’ payment data is a compelling target for criminals who continue to circumvent IT security defenses. Virtually every major financial institution, retailer, and scores of payment processors have been the victims of data breaches, incurring both financial and reputational damage.

According to the 2022 Thales Data Threat Report – Financial Services Edition, 52% of U.S. financial services organizations report that they have experienced a data breach in the past. Even more alarming, 43% reported an increase in the volume, severity, and scope of cyberattacks in the last year. Additionally, the IBM 2023 Cost of Data Breach report indicates that financial services tops the list of industry verticals when it comes to the average cost of a data breach at $5.90 million, second only to healthcare.

The deadline is fast approaching

The PCI Data Security Standard (PCI DSS) was developed in 2008 to standardize the security controls that need to be enforced by businesses processing payment card data in order to protect cardholder data and sensitive authentication data wherever it is stored, processed, or transmitted. The new version of the standard, PCI DSS 4.0, was released on March 31, 2022, and before we know it, businesses will face the compliance deadline of March 31, 2024. In other words, we are only seven months away from fully complying with the revised standard.

The new version includes many updates, which you can read in the Summary of Changes document. In this blog I will focus on two requirements and show how Thales CipherTrust Data Security Platform solutions can help businesses streamline compliance.

Requirement 3: Protect Stored Account Data

Entities accepting and processing cardholder data are expected to protect it and prevent its unauthorized exposure or use – wherever it is stored locally or transmitted over internal private or external public networks to a remote server or service provider.

Requirement 3.2 mandates that account data storage is kept to a minimum by implementing data retention and disposal policies, procedures, and processes. These policies should enforce data storage volume and retention time reduction to an absolute minimum to meet legal and business requirements. When this data is no longer required to be stored, the organization should establish processes for secure deletion, rendering data unrecoverable.

Secure data storage is closely related to encryption and key management. At the end of data retention periods encryption keys must be destroyed, digitally shredding all data instances, no matter where the data is stored, backed up, or migrated to. To establish a data security program that keeps account data storage to a minimum using controls and technology, organizations first need to have visibility into where their sensitive data resides.

Thales CipherTrust Data Discovery and Classification can efficiently locate structured and unstructured regulated data across multiple cloud platforms and traditional data stores for organizations to prioritize remediation.

Requirements 3.4.1 and 3.5.1 require that the Primary Account Number (PAN) be masked when displayed. The bank identification number (BIN) and the last four digits are the maximum number of digits to be displayed. The display of full PAN on computer screens, payment card receipts, paper reports, etc., can result in this data being obtained by unauthorized individuals and used fraudulently. Ensuring that the full PAN is displayed only for those with a legitimate business need minimizes the risk of unauthorized persons gaining access to PAN data.

The Thales CipherTrust Tokenization solution includes several dynamic data masking options depending on the user’s role. Security admins can establish policies to return an entire field tokenized or dynamically mask parts of a field. For example, a security team could establish policies so that a user with customer service representative credentials would only receive a credit card number with the last four digits visible, while a customer service supervisor could access the full credit card number in the clear.

Requirement 12: Support Information Security with Organizational Policies and Programs

The organization’s overall information security policy sets the tone for the whole business and informs personnel what is expected of them. All staff should be aware of the cardholder data sensitivity and their responsibilities for protecting it.

Requirement 12.5 further elaborates that the PCI DSS scope is documented and confirmed by the organization at least once every 12 months and upon significant change to the cardholder data environment (CDE). Adapting policies and procedures to the changing business and risk landscape is necessary. At a minimum, scope assessment and validation should include identifying all data flows for the various payment stages and acceptance channels.

Thales CipherTrust Data Discovery and Classification can facilitate identifying all sources and locations of PII (Personally Identifiable Information), including Primary Account Numbers (PAN). The solution can also look for PAN that resides on systems and networks outside the defined CDE or in unexpected places within the defined environment. The solution enables businesses to efficiently locate structured and unstructured regulated data across all storage locations, allowing better and prioritized decisions about remediating discrepancies.

Get Ready for PCI DSS 4.0 with Thales Data Protection

These are only two of the PCI DSS 4.0 requirements that deserve your attention. Download our comprehensive paper for a complete list of the requirements and how Thales data protection solutions can help you accelerate your time to compliance to meet the March 31, 2024 deadline.