Shane Tully | Global CISO, A24
More About This Author >
Shane Tully | Global CISO, A24
More About This Author >
The Payment Card Industry Data Security Standard (PCI-DSS) v4.0 is about protecting cardholder data and maintaining the secure reputation of the industry as a whole. Cyber threats are continuing to grow and evolve in frequency, vector and complexity requiring stronger protection, particularly for payments data.
However, this new version of PCI-DSS isn’t all about raising the bar. It allows businesses to be more flexible in how they protect their data.
The main focus is on staying secure all the time.
The Payment Card Industry Security Standards Council has set the standard to meet from March 2025. Your time to comply will be dependent on where you are on your PCI compliance journey and when your existing certification expires.
A24 completed the PCI-DSS v4.0 compliance assessment for our own HSMaaS infrastructure ahead of the retirement of v3.2.1 and received our first v4 compliance certificate in November 2023 so we are both an experienced service provider to the Payments industry and a compliant user of the new standard.
We know that an approach of minimising risk and impact through prioritising cybersecurity efforts and continuous improvement will keep you heading in the right direction.
Customer Story
One of our clients is a publicly listed global payments platform operator offering innovative products and payment options to support the movement of money globally using cloud-based services and APIs. Operating in the UK, Europe and Australia, a global scalable approach was needed.
The challenges were multi-faceted:
- Deliver a digital transformation of their business and customer experience.
- Migrate applications to Microsoft Azure and decommission their own data centres.
- Comply with all applicable regulations and standards including PCI-DSS v4.
In pursuing the migration of workload to Azure, it was soon discovered that some things just don’t fit well in the cloud: These included Hardware Security Modules and Mastercard Gateways.
Coupled with the challenges of retaining skilled team members with experience in managing this critical infrastructure, an alternative approach was required. But this brought further concerns about customer experience if infrastructure and applications were no longer co-located.
Solution
A24 designed, built and operates a compliant encryption infrastructure solution based on Thales payShield 10K HSMs. The infrastructure is located adjacent to the cloud (in this case Microsoft Azure) in secure Equinix data centres around the globe.
We take responsibility for proactive management, documentation and compliance of the platform and train the Key Custodians to make efficient use of the Thales products. Existing HSMs were re-used as well as new devices provisioned. Mastercard MPS Gateways are also hosted in the same location addressing all elements of the customers infrastructure that couldn’t be virtualised in Azure.
Outcomes
We enabled this Global Payments Platform Provider to gain PCI-DSS 4.0 certification across two continents - in Sydney, Melbourne and London.
- New cloud adjacent solution maximising performance and customer experience.
- Providing a global blueprint for compliant, secure encryption in their expansion strategy.
- Access to experienced, skilled, global, 24/7 resources to manage infrastructure and simplify operations with a long-term partner.
PCI-DSS v 4.0 brings Significant Improvements
The new standard brings significant improvements, especially in how the systems and networks that process our payments have to be secured and allows for the use of the latest HSM services including:
- Key loading devices & HSM remote administration platform capabilities
- Device management information submitted by vendors
- Cloud-based HSM as a Service
- Multi-tenant usage security requirements
Proven Step-by-step Approach
Preparing for these new requirements involves understanding the updates, assessing current systems, and implementing necessary changes. Here’s a step-by-step approach you can take to ensure your PCI-DSS v4.0 compliance journey is one that elevates your organisation.
From Knowledge to Action: Education, Gap Analysis, and Your PCI-DSS 4.0 Compliance Roadmap
Take the time to understand the key changes introduced in PCI-DSS v4.0, such as stricter authentication requirements, broader use of encryption, and more flexible compliance demonstrations. This will allow you to focus resources where they will have the greatest impact and avoid unnecessary work. Look for ways to engage all stakeholders with the business by utilising workshops, webinars, and training sessions that break down how these changes might impact their specific business processes, system security needs, and network security protocols.
Gap Analysis and Risk Assessment
Undertake a comprehensive assessment process from current state to desired state. This begins with an evaluation of your organisation’s compliance status. Next, a gap analysis compares this status against the new requirements, pinpointing areas that need attention, such as authentication, encryption, and monitoring. Finally, conducting a risk assessment to identify the most critical vulnerabilities and prioritize their remediation.
Strategic Planning for Compliance
Based on your gap analysis results, develop a compliance roadmap that outlines steps to meet the new requirements. These plans typically include timelines, milestones, and resource allocation, and guidance for data sovereignty challenges.
Handy Tip: A useful resource on data sovereignty and how it applies in public Cloud environments can be found at Data sovereignty in a public cloud environment | IDEMIA.
Updating your organisations' security policies and procedures to align with the new standards, as well as other emerging standards both in market and global for those operating cross border is one way to ensure due diligence in on-going operations and compliance requirements. This should span not only PCI-DSS and include other relevant Regulations for your market. For example, consider the European Digital Operational Resilience Act (DORA). Our latest Blog Decoding DORA for FinTech Operational Resilience: 5 Areas of Focus covers this in more detail.
Ongoing Technology and Process Enhancements
Choose and implement security technologies that can help meet the new encryption and authentication requirements. Your brief is not always straight forward and there are multiple solutions to assess and consider. Utilising the expertise of partners can help identify the benefits of one solution over another and better educate your organisation’s team in the functionality of specific highly specialised equipment, particularly relevant when you are considering integrating cloud solutions in the mix.
One such area, if a customer requires a secure cryptographic device (SCD) for PIN security, is the Thales TMD, also known as the Trusted Management Device. A compact, intuitive, and self-contained secure cryptographic device (SCD) that enables secure symmetric key management. The Thales TMD is designed to securely manage and share critical keys in a way that complies with relevant security standards, including PCI PIN Security, amongst other standards.
Also consider process enhancements. Redesigning processes that handle cardholder data to ensure they comply with the updated standards and align with your technology solutions will ensure you are operating in a compliant way.
To ensure continuous compliance and the security of cardholder data environments, organizations can benefit from guidance on choosing or upgrading their monitoring systems. Additionally, establishing regular testing routines, such as penetration testing, vulnerability scans, and security assessments, is crucial. These tests help verify that implemented controls remain effective and compliant with evolving regulations.
In addition, ensure all changes and data flows are well-documented, reflecting how each element of the PCI-DSS 4.0 requirements is met.
Employee Training, Vendor Management, and Ongoing Support
Maintaining secure data handling practices requires continuous training for staff on the latest PCI-DSS requirements. Organizations can tailor training programs to specific roles, ensuring key personnel understand their responsibilities. Additionally, if vendors handle cardholder data, managing their compliance with PCI-DSS 4.0 becomes crucial. A recent example of a customer suffering a Cloud outage involved the UniSuper systems on 02/05/2024 where their services were off-line for several days.
To navigate the transition and ensure ongoing compliance, organizations can benefit from ongoing support and consultation. This support can include establishing a feedback mechanism to address any questions or difficulties that arise during implementation or post-compliance.
PCI-DSS 4.0 offers more flexibility to customise implementations via the use of different technologies or methodologies. Hosting in a 3rd party data centre like Equinix can bring a more robust approach to access control and allows deployment in over 92 countries.
By taking a considered approach and following these steps, you can significantly ease your transition to PCI-DSS 4.0, ensuring you not only comply with the new requirements but also enhance your overall data security posture.
A24 and Thales
Together A24 and Thales make multi-cloud security independent, accessible and flexible using cloud adjacent technology that is secure and scalable.
The longevity of the Thales best-of-breed technology, both with the on-premise payShield 10k HSM and the Thales hosted payShield Cloud HSM service, incorporated into the A24 solution, appeals to both CIOs & CTO who are keen on sweating their assets to maximise their return on investment (ROI).