Your Compliance Partner: How Worldline can help pave the way to PCI 4.0

01 / 05 / 2024

PCI DSS, the security standard for the payments industry, has a new version - 4.0. Learn what PCI compliance is, why you should be PCI compliant, what the new PCI v4.0 requirements are, and the actions Worldline is taking to stay compliant.

2 min.

Food service Partnership Payments Payments gateway Corporate

As businesses continue to rely on digital transactions, the need for secure payment processing becomes increasingly important. One of the key aspects of ensuring security in payment processing is maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS). The goal of the PCI DSS is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted.

PCI DSS v4.0 encompasses two phases. The first phase was effective on March 31, 2024. The second phase will be effective as of March 31, 2025 - after which phase two PCI DSS v4 requirements will need to be part of your next PCI DSS assessment.

If you are wondering what PCI compliance is, why you should be PCI compliant, and what the new PCI 4.0 requirements are, this article will cover the key details you should know, as well as what actions Worldline is taking.

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. These are the 12 principal requirements:

PCI Data Security Standard - High Level Overview

Build and maintain a secure network and systems

#1
Install and maintain network security controls.

#2
Apply secure configurations to all system components.

Protect account data

#3
Protect stored account data.

#4
Protect cardholder data with strong cryptography during transmission over open, public networks.

Maintain a vulnerability management program

#5
Protect all systems and networks from malicioussoftware.

#6
Develop and maintain secure systems and software.

Implement strong access control measures

#7
Restrict access to system components and cardholder data by business need to know.

#8
Identify users and authenticate access to system components.

#9
Restrict physical access to cardholder data.

Regularly monitor and test networks

#10
Log and monitor all access to system components and cardholder data.

#11
Test security of systems and networks regularly.

Maintain an information securiy policy

#12
Support information security with organization policies and programs.

You can watch this discussion between PCI Security Standards Council staff as they focus on how updates to the Standard meet the evolving security needs of the payments industry, promote security as a continuous process, and increase flexibility for organizations using different methods to achieve security objectives, and enhancements to validation methods and procedures.

Why should Worldline be compliant?

Non-compliance with PCI standards can have severe consequences for businesses. According to this IBM report, the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over the last 3 years. There was a 20% increase in data breaches from 2022 to 2023 and hackers are constantly evolving their techniques to exploit vulnerabilities in payment processing systems, making it crucial for businesses to stay ahead of the game. Failure to comply with PCI standards not only puts your customers' sensitive information at risk but also exposes your business to potential legal and financial repercussions.

What is new in PCI DSS v4.0?

There are a few goals that encompass the changes that the new PCI 4.0 requirements intend to achieve. Below you'll find a high-level overview of the goals for PCI 4.0.

Goals for PCI DSS v4.0

Continue to meet the security needs of the payments industry

Updated password requirement
Additional multi-factor authentication requirement
New e-commerce and anti-phishing requirements to address ongoing threats

Promote security as a continuous process

Stricter and clearer assignments of roles and responsibilities
Extra training to better understand implementation and maintenance of new security protocols

Increase flexibility to maintain payment security

Availability of group, shared, and generic accounts
Two types of targeted risk analyses (TRAs) to provide entities with the flexibility to evaluate risk and determine the security impact of specific requirement controls, as appropriate for their environment
Customized approaches to implement and validate PCI DSS requirements

Enhance validation methods and procedures

Clear validation and reporting to support transparency and granularity
Increased alignment between information in the Self-Assessment Questionnaire and the Attestation of Compliance.

Upcoming changes for PCI v4.0

Multi-Factor Authentification

Roles and responsibilities

Additional documentation and platform audits

Payment page security

We are diligently working to ensure that all business needs, requirements and remediations for PCI DSS v 4.0 are met by March 31, 2025. Watch this space for more!

Got more questions? Find out more by contacting our sales team at sales.na@worldline.com.