LRQA Nettitude Blog

Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) was released at the end of March 2022. At the time of writing, we now have less than one year until the previous version, 3.2.1, is retired and can no longer be used for new assessments.

If you've ever taken a credit card as payment for anything, then you've probably heard of the Payment Card Industry Data Security Standard (PCI DSS). This defines a set of requirements for merchants and service providers to protect their customers' payment card data. The importance of PCI DSS lies in the fact that it helps to protect sensitive data which could have huge ramifications should it fall into the wrong hands. This includes information such as credit card numbers, names, addresses, and other personally identifiable information.

Many organisations accepting card payments see SAQ A as the target operating model, as this has the most effect on reducing the PCI DSS requirements with which an organisation must comply. It does not come without risks though, as the third-party service providers you have engaged with must always maintain their compliance to support yours.

So, what remains the same, and what has changed with the arrival of PCI DSS v4.0? The first blog of this series explained the core format changes for all the SAQs, here we turn to the specifics around SAQ A.

The PCI Security Standards Council (SSC) published PCI DSS v4.0 on the 31st March 2022. The combined efforts by the SSC, payments brands, participating agents, and QSA the community have yielded a significant overhaul that promises to provide a framework for securing payment card information in the future.

There has since been a lot of activity surrounding the release, which gives rise to a problem. With such an overhaul, people are suffering from information overload and are unable to find a starting point for their organisations. Nettitude will break down what the changes mean and what a merchant or service provider needs to migrate, starting with a series of blogs discussing changes to self-assessment questionnaires allowing you to quickly start forming your plan to move to PCI DSS v4.0.

What is File Integrity Monitoring (FIM)?

File Integrity Monitoring (FIM) is a control or process that compares the current state of operating system and/or application software files against a known baseline to validate the integrity of the files (i.e. looking for inconsistencies).

The integrity verification uses a cryptographic hash function to calculate an initial checksum of a file, which is then compared with a newer calculated checksum of the current state of the same file. In essence, a checksum is a small block of data that is derived from another block of data.

Statistics show that in 2021, online retail sales amounted to a staggering 4.9 trillion dollars, with purchases made by over two billion customers.

Experts anticipate that this trend will continue as more people select the ease of internet shopping. Unfortunately, it has also encouraged cyber criminals to target this area.

These two factors have prompted retailers and security experts to focus on improving online retail cybersecurity measures. 

The wait is finally over and PCI DSS v4.0 is released today, 31st March 2022. Whatever the size of your organisation, volume of payments or size of in-scope network, there will be an impact to you of some kind, but for today it's business as usual.

In this post, we discuss six areas in PCI DSS v4.0, which we think you should be aware of today, with much more detail to come.

For now, we will take it easy and focus on the key themes and changes: