What Banks Need to Know about PCI DSS v4.0
Banking regulation has always been a bit of a tennis match—a back-and-forth between more regulation, and then less. Before the shift to deregulation starting in the 1980s, banks adhered to state and federal banking laws, as well as narrow lines of business. After years of phased-in deregulation, the pendulum swung back. Now regulatory and industry compliance for banks includes more rules than ever before: privacy laws, federal trade regulations, non-bank industry regulations, and community impact reporting.
Many of these new requirements were driven by technology, of course, among those being the Payment Card Industry Data Security Standard (PCI DSS) – which is now considered the flagship standard for payment card security. Though this standard first emerged 20 years ago, the PCI DSS was recently updated to the latest version—known as v4.0, which will become the required standard on April 1, 2024, superseding the previous version 3.2.1.
As an experienced Qualified Security Assessor Company, Schellman understands how such a huge change will impact varying organizations and our current clients. In hopes of easing the upcoming adjustments, we wrote extensive breakdowns of the new standard, including what service providers should know. Now, we’re going to outline some of the major impacts and concerns that banks will have to consider regarding this new version going forward.
Why Should Banks Concern Themselves with PCI DSS v4.0?
In fact, banks should take particular interest in this standard. They process a great deal of business using credit cards and card-branded debit cards and some of them—often called acquiring banks or sometimes just acquirers—have oversight and responsibility for the merchants who accept payment cards in their business.
Acquirers are responsible for ensuring their merchants are compliant with the PCI DSS in that they must confirm the implementation of required controls and complete ongoing monitoring. With the updates in PCI DSS v4.0, the compliance oversight that acquirers must perform has become much more interesting and complex for acceptors of payment cards and acquiring banks.
Below are some major considerations for these organizations going forward.
Banking Industry Considerations with PCI DSS v4.0
First things first, how much remedial work should those in the banking industry expect to accommodate the changes in PCI DSS v4.0? This may be a considerable load in certain key control areas because the new controls and processes are not yet widely implemented by anyone (not just banks):
- PCI DSS v4.0 includes important additional controls elaborated upon here, and some of the major changes include:
- Removal of disk-level encryption as the sole option to protect cardholder data in storage
- New requirement for use of keyed-cryptographic hashes
- New requirement for use of automated technical solutions to detect and prevent web-based attacks
- Updates to multi-factor authentication requirements
- New requirement for use of authenticated internal vulnerability scans
- New routine steps to confirm the scope of the PCI DSS environment
Acquirers will also need to plan for the targeted risk analysis activities now required under the new v4.0. Like the periodic controls above, risk analyses will need to be performed regularly before a PCI DSS v4.0 assessment.
Implementing these won’t happen overnight, so make sure you leave ample time to put these new controls into place and cycle through their required period of activity.
In fact, take special care regarding cyclical requirements like these—in our experience, shifting to such routines can trip organizations up when greater priority is placed on scheduling production and revenue activities, but leaving security controls at the bottom of your budget (if they’re addressed at all) could lead to some problems with v4.0 compliance.
Similarly, you’ll now need to plan for contingencies within your team more than ever in order to stay in compliance. In a lot of cases, budgetary constraints may mean that compliance tasks are relegated to a small number of people—sometimes, only one person. Consider what happens if that sole person leaves—the institutional memory of those periodic activities leaves with them, and you might fall out of compliance because no one else picks up those activities.
To get more specific on how you can successfully adjust your compliance, let us separately address two different factions of banks—those that will be lifting the entire load on your own and those that will need to work with keeping partners in compliance.
If You’re Performing Your Own Merchant or Service Provider Activities
Let’s start with the work that’ll need to be done by those on their own:
- Perform a readiness assessment.
- Establish a project team to identify the new control activities which need to be addressed and establish a project timeline for bringing themselves into compliance.
If you’re one of many banks that are constantly having to update your compliance controls with their multiple regulatory agencies—Federal, FDIC, state banking authorities, Comptroller of the Currency, et al—this might already be baked into your existing culture.
After determining your gaps in a readiness assessment, you can further focus your efforts within your environment. Some areas of note might include:
If You’re an Acquiring Bank (Acquirer)
However, if you are an acquiring bank, you also need to expand that work to include furthering your understanding of the current security postures of your merchants and service providers.
After all, you are responsible for them and their compliance, so make sure you:
- Confirm the timeline each of them is on for compliance with PCI DSS v4.0.
- Ask about their internal risk management procedures.
- Know the cadence of their Business As Usual (BAU) controls.
- Understand the gaps in their PCI DSS v4.0 compliance that they’ve self-identified, as well as their plans for addressing those gaps.
You may already be well in the habit of asking for information beyond just a signed Attestation of Compliance (AoC) or a signed Self-Assessment Questionnaire (SAQ). If not, sending out a questionnaire with detailed questions that target key areas of PCI DSS v4.0 is a good start.
Help establish the path to compliance for your merchants and service providers by pushing that they also complete a PCI DSS v4.0 readiness assessment now—if they can’t do it themselves, encourage them to hire a PCI QSA company to assist or perform it.
Getting started now will help ensure that neither you nor your merchants/service providers run out of time before v4.0 becomes mandatory.
Moving Forward With PCI DSS v4.0
The most important thing that everyone—banks included—needs to know about the new PCI DSS v4.0 standard is that it takes a risk-based approach to compliance. This shift has meant a related one regarding the necessary oversight acquiring banks need to perform.
The various new requirements—both regarding implementation and testing cycles—mean that everyone should get started on transforming their environment where it needs it. Whether you perform your merchant activities or outsourcing, you now have a solid starting point for adjusting your compliance.
That being said, if you still have questions about the transition to the new standard, please don’t hesitate to reach out to our team, who are standing by and ready to address any concerns you may have.
About Sully Perella
Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.