Navigating PCI-DSS 4.0 Compliance with Secon and Red Sift

Key Takeaways from our PCI DSS v4.0 webinar.

Here are the major highlights of the changes introduced in PCI DSS v4.0:

  1. Risk-Based Controls: The new risk management focus encourages businesses to tailor their security measures based on their unique environments, rather than following a one-size-fits-all compliance model.
  2. Continuous Monitoring and Testing: Businesses must now implement continuous monitoring, including Security Operations Centres (SOCs) and Security Information and Event Management (SIEM) solutions. This will help ensure businesses stay ahead of potential threats by identifying vulnerabilities in real time.
  3. Multi-Factor Authentication (MFA): Previously, MFA was only required for remote access. Now, PCI DSS v4.0 mandates MFA for anyone accessing cardholder data, regardless of whether they are internal or external employees.
  4. Enhanced Password Policies: Password standards have become stricter, now requiring longer and more complex passwords to ensure higher levels of security.
  5. Stronger Encryption Standards: Encrypting stored and transmitted payment data is more critical than ever, and businesses must now ensure their encryption standards meet or exceed the new requirements.
  6. Incident Response Plans: Incident response is no longer just about having a plan; it’s about testing that plan regularly. Red teaming, blue teaming, and even purple teaming exercises are encouraged to test response capabilities against real-world attack scenarios.

Addressing Business Email Compromise and Cryptography.

One of the new requirements under PCI DSS v4.0.1 is aimed at protecting businesses from phishing attacks. Requirement 5.4.1 introduces a mandate for organisations to have procedures and automated systems in place to safeguard employees from phishing and social engineering attacks, something that has been an increasing risk for many organisations.

Cornelius noted the growing importance of certificate management and cryptography: Certificates used to safeguard payment account numbers (PAN) must be valid, not expired, and should not have been revoked. Moreover, businesses need to maintain an inventory of these certificates to ensure proper management.” These steps are essential in mitigating man-in-the-middle attacks and other forms of data interception.

Practical Solutions for Achieving Compliance.

During the webinar, both Secon and Red Sift emphasised that compliance is achievable, even for smaller businesses. Red Sift’s tools, like Red Sift on DMARC help automate complex processes such as managing email authentication protocols and ensuring that businesses can maintain secure, trusted communication with their customers.

Additionally, for those concerned about the costs associated with implementing SIEM or SOC solutions, Cornelius highlighted the importance of choosing the right solution: “There are vendors out there who cater to smaller organisations, offering scalable solutions that won’t break the bank.” These tailored services can help businesses meet their compliance needs without overextending their resources.

Preparing for 2025: What Should You Do Next?

March 2025 is the official enforcement date for PCI DSS v4.0. Now is the time to assess where your organisation stands and take action to meet the updated requirements. Whether you’re a merchant, payment service provider, or third-party vendor, ensuring that your risk management, encryption standards, and incident response plans are aligned with PCI DSS v4.0 is essential.