2 Big Changes in PCI DSS 4.0 and What They Mean for You

What Are the Key Changes to PCI DSS 4.0?

The official Summary of Changes outlines 36 pages of updates, clarifications and new requirements in PCI DSS 4.0. The full scope of updates is far beyond what we can touch on in a single article, so instead, we’re going to look at two key areas of change that have specific relevance to payment professionals: securing access to information and securing connections with technology partners.

Specific changes include:

• Updates to section 12 expanding the compliance requirements for companies acting as or using third party service providers (TPSPs) to support PCI DSS compliance
• Updates to section 8 covering new multi-factor authentication (MFA) requirements for anyone (including your merchants) with access to cardholder data or applications which run within the cardholder data environment (CDE)

In each case, we’ll look at the overall scope of the change, what it means for your business, and the easiest ways to minimize the impact and stay compliant.

Change 1: Expanded Requirements for Using Third-Party Service Providers

Relevant sections: 12.8, 12.9

One important change in PCI DSS 4.0 is an expanded focus on minimizing risk from any TPSPs you use. This update to PCI DSS 4.0 focuses on three areas:

1. Emphasizing that you are ultimately responsible for everything within your PCI compliance scope, including any third-party service providers or connections that handle or transmit card data on your behalf
2. Strengthening the requirement for you to regularly verify that the services any TPSP provides meet all necessary compliance requirements
3. Ensuring there is a clear understanding of responsibilities anywhere PCI compliance burden is shared between you and a TPSP

Implications for Payment Companies

This ultimately means that you may need to do a little more to ensure your TPSPs are compliant. In the payments space, shifting compliance to a TPSP is a big part of risk management processes and most companies manage or oversee their third-party’s compliance in one way or another. That’s still the requirement, but there is now a larger onus on you to verify that all shifted compliance responsibilities are being executed and managed effectively.

To do this, you’ll need to:

• Maintain policies and procedures to track and manage each TPSP you work with that touches cardholder data
• Ensure contracts with TPSPs include written acknowledgment of their responsibility for: maintaining PCI DSS compliance and providing the necessary reporting to support your oversight responsibilities
• Establish an ongoing monitoring program that reverifies TPSP compliance at least once per year

This might sound like a lot, but it’s actually very manageable as long as you stay on top of it. The updated section 12.9 of PCI DSS 4.0 lays out a set of requirements for your TPSPs, which makes it easy for you to take these steps. 

One new area that could potentially be overlooked is the annual monitoring requirements. Your TPSPs should provide you with an annual Attestation of Compliance (AOC), which outlines the services applicable to their relationship with you, and confirms that the relevant PCI DSS requirements were examined and determined to be in place. Just remember that while they should be doing this, it is ultimately your responsibility to request a copy of the AOC and review it to ensure it meets your direct PCI DSS compliance responsibilities. An easy way to complete the process would be to hire a PCI-Qualified Security Assessor to manage the verification for you.

Remember that if you provide a contracted service to your merchants that covers their PCI compliance requirements — even a pass-through service provided by one of your providers — you are the merchant’s TPSP. And just like your TPSP, the updated section 12.9 requires you to support your Merchant’s requests for information to ensure their PCI DSS compliance.

The Easiest Way To Stay Compliant

The easiest way to stay ahead of this change in PCI DSS 4.0 is to choose third-party service providers that are highly experienced in PCI compliance and have the expertise and the resources necessary to prioritize security on your behalf. The right partners make oversight simple and easy by taking the lead in meeting contract and documentation requirements, communicating responsibilities and proactively providing proof of ongoing compliance. That will not only help you maintain compliance, but it also makes it easier for you to meet the responsibilities you have to your own customers.

Change 2: Multi-Factor Authentication for Anyone Accessing Cardholder Data Environments

Relevant sections: 8.3, 8.4, 8.5

The PCI DSS defines the cardholder data environment (CDE) as:

• “The system components, people, and processes that store, process or transmit cardholder data and/or sensitive authentication data, and,
• System components that may not store, process, or transmit [cardholder data/sensitive authentication data] CHD/SAD but have unrestricted connectivity to system components that store, process or transmit CHD/SAD.”

PCI DSS 4.0 takes new steps to secure the CDE by requiring multi-factor authentication (MFA) or strict password rotation policies, for anyone with access to CDE, whereas previously, these requirements only applied to administrators. The changes in version 4.0 focus on two key areas:

1. Ensuring MFA, or strict 90 day password rotation, is set up to secure access to the CDE for all users and;
2. Ensuring MFA, if used, is properly configured, in alignment with industry standards, to guard against misuse.

Implications for Payment Companies

For payment companies like ISOs, PayFacs and software platforms that serve hundreds or thousands of individual merchants, this is an important change. It means that MFA mechanisms are resistant to known attack vectors must be enabled for every single account (i.e. merchants, IT support, other vendors) with any access to cardholder data; a system that stores, processes or transmits that data; or any additional connected system that touches CDE data. This can cast a very wide net.

First, if applicable, you need to ensure MFA is enabled, properly configured and being used by your internal teams and systems. Merchants using a hosted payment page (where cardholder data never touches their systems) may be exempt from having to enable MFA. However, if you’re currently providing merchants or other parties with any kind of portal access, there is a high likelihood that MFA will be required for that, as well. This can be difficult for two reasons:

• First, it requires an MFA process to be available, enabled and properly configured
• Second, it may add additional friction to your merchants’ login process 

Since this will now be a universal part of PCI DSS compliance, merchants are unlikely to find any provider that won’t offer MFA or require password rotation; and if they do they should contemplate what that means for their own data security and ability to maintain proper PCI DSS compliance. After all, this requirement ensures stronger protections for both merchants and card holders. Unlike traditional single-factor authentication, MFA makes it more difficult for bad actors to gain unauthorized access to systems — protecting everyone involved — and should be used when it is offered as opposed to password rotation.

If your portal is developed and maintained in-house, you are directly responsible for enabling and configuring MFA. Remember, it’s always a good idea to educate your merchants on the new MFA requirements and why using it is necessary for their own PCI compliance.

The Easiest Way To Stay Compliant

The easiest way to handle MFA is to let a TPSP handle it for you. If your merchant portal is provided by a third party, MFA will be something they offer to you. That takes a potentially big engineering job and a key part of PCI DSS 4.0 compliance scope off your plate. However, managing proper oversight and obtaining proper certification documentation from your TPSP(s) is still vital to ensure your compliance requirements are covered. 

Finding the Right Partner for the Most Secure Payment Systems

PCI DSS 4.0 is an important step in protecting consumers and businesses from a rapidly evolving digital threat environment. The scale of the change means you probably have questions about what it means for your day-to-day operations. The best way to minimize the impact and ensure you’re not just well-protected but also well-educated is to find a reliable partner. 

At NMI, we offer a full suite of payments technology designed to make it fast, easy and profitable to sell payments to your merchants. With over 20 years of experience, NMI is also a leader in payment security. Our systems are all designed with PCI DSS compliance in mind, and our team has the deep expertise and experience necessary to act as your trusted advisor throughout your compliance journey.

If you’re interested in learning more about how partnering with NMI can boost your security and minimize your compliance burden, we’d love to hear from you. Reach out to a member of our team today.