Blog

Transport Layer Security (TLS) is a cryptographic protocol that encrypts data, authenticates connections, and protects the data in transmission. As time passes, new versions of TLS are released to strengthen defenses and maintain an advantage of the constantly evolving threat landscape. Understanding these updates is essential for anyone managing secure systems or handling sensitive data online.

In our digital economy, online shopping has become second nature for consumers worldwide. Yet behind the seamless checkout experiences that we've come to expect lies a complex security challenge that merchants must navigate. With the rise of e-commerce payment processing comes the rise in threats from e-skimming attacks.

Given today’s continually evolving threat landscape, strengthening access controls is an essential element and growing priority of any robust security program. As such, it’s no surprise multi-factor authentication (MFA) has become a widely adopted compliance requirement by a significant number of security standards across industries. That said, it can be difficult to understand the intricacies of the MFA regulations for each compliance framework.

The PCI Security Standards Council (PCI SSC) has announced significant updates impacting e-commerce merchants currently collecting payments via an iFrame or redirect. The new guidance brings notable changes to the PCI DSS compliance process for merchants who are eligible to complete the Self-Assessment Questionnaire (SAQ) A.

Historically, PCI DSS has treated most service accounts as shared administrator accounts that had to be authorized with specific privileges using strong authentication factors. But now, version 4.0 of the PCI DSS has greatly expanded the scope of authentication and authorization requirements—while you’ll still need to secure those administrator accounts, you’ll now also need to implement controls to protect any application and service accounts in your environment.

Since the sunsetting of PCI DSS v3.2.1 on March 31, 2024, PCI DSS v4.0 has become effective, as have some of its new requirements (though future-dated requirements will be effective March 31, 2025). While v4.0 has introduced some major changes in various areas, for service providers—including some that include additional nuance for colocation providers in particular—multiple new requirements are now effective as well as some that are future-dated.

As of June 11th, PCI DSS v4.0.1 was officially released. This update comes with several clarifications and adjustments to the previous version, ensuring more precise guidelines and addressing various implementation issues.

If you’re a newly hired CISO or Director for an organization that’s required to achieve and maintain PCI DSS, you may be wondering how and where you can get started so that you’re ready when it comes time for the assessment to begin.