Your PCI-DSS v4.0 Roadmap: Thales Guest Blog
Charting a Course of Education, Analysis & System Enhancements
We were recently approached by our friends at Thales to knowledge share about how payment organisations may consider charting their course through PCI compliance.
The full blog article from A24 CISO Shane Tully can be read here.
Below summary outlines the key points.
The Payment Card Industry Data Security Standard (PCI-DSS) v4.0 is about protecting cardholder data and maintaining the secure reputation of the industry as a whole. Cyber threats are continuing to grow and evolve in frequency, vector and complexity requiring stronger protection, particularly for payments data. However, this new version of PCI-DSS isn’t all about raising the bar. It allows businesses to be more flexible in how they protect their data.
The main focus is on staying secure all the time.
We know that an approach of minimising risk and impact through prioritising cybersecurity efforts and continuous improvement will keep you heading in the right direction.
Customer Story
One of our clients is a publicly listed global payments platform operator offering innovative products and payment options to support the movement of money globally using cloud-based services and APIs. Operating in the UK, Europe and Australia, a global scalable approach was needed. The company wanted a complete digital makeover, including a cloud migration and a revamp of their customer experience. They also had to strictly adhere to data security regulations. However, moving everything to the cloud proved tricky. Some hardware and gateways wouldn't work seamlessly, and they struggled to retain the skilled staff needed to manage their on-premise infrastructure. This created a dilemma - if they moved everything, it could disrupt customer experience.
A24 built a secure encryption solution for a global payments platform provider. This solution utilized Thales hardware that couldn't be virtualized in the cloud and was placed in secure data centers next to Microsoft Azure. A24 not only designed and built the infrastructure but also manages it, ensuring compliance and training the customer's staff.
This new approach allowed the payments provider to achieve PCI-DSS 4.0 certification across multiple locations and provided a secure, compliant foundation for their future global expansion. Additionally, the customer gained access to A24's expertise and 24/7 support, simplifying their operations.
Proven Step-by-step Approach
Strategic Planning for Compliance
To achieve PCI-DSS 4.0 compliance, start by familiarizing yourself with the stricter authentication, broader encryption, and more flexible compliance demonstration requirements. Educate all employees through workshops and training on how these changes impact their roles and security protocols. Next, conduct a comprehensive assessment process that begins with evaluating your current compliance status. Follow this with a gap analysis comparing your status to the new requirements to pinpoint areas needing improvement, such as authentication, encryption, and monitoring. Finally, conduct a risk assessment to identify the most critical vulnerabilities and prioritize their remediation. Based on your findings, develop a compliance roadmap with timelines, resource allocation, and a plan to address data sovereignty challenges. This will ensure you focus resources effectively and achieve compliance efficiently.
Handy Tip: A useful resource on data sovereignty and how it applies in public Cloud environments can be found at Data sovereignty in a public cloud environment | IDEMIA.
Updating your organisations' security policies and procedures to align with the new standards, as well as other emerging standards both in market and global for those operating cross border is one way to ensure due diligence in on-going operations and compliance requirements. This should span not only PCI-DSS and include other relevant Regulations for your market. For example, consider the European Digital Operational Resilience Act (DORA). Our latest Blog Decoding DORA for FinTech Operational Resilience: 5 Areas of Focus covers this in more detail.
Ongoing Technology and Process Enhancements
Achieving PCI-DSS 4.0 compliance requires a comprehensive strategy. Implement new security technologies, especially for encryption and authentication, considering expert guidance and staff training. Tools like the Thales TMD can be valuable for key management. Redesign data handling processes to align with the updated standards and your chosen solutions. Additionally, prioritize continuous compliance by implementing robust monitoring systems and establishing regular testing routines. Finally, meticulously document all changes and data flows to demonstrate how you meet each PCI-DSS 4.0 requirement. This multi-faceted approach ensures you effectively address evolving regulations and protect cardholder data.
Employee Training, Vendor Management, and Ongoing Support
Maintaining secure data handling practices requires continuous training for staff on the latest PCI-DSS requirements. Organizations can tailor training programs to specific roles, ensuring key personnel understand their responsibilities. Additionally, if vendors handle cardholder data, managing their compliance with PCI-DSS 4.0 becomes crucial. To navigate the transition and ensure ongoing compliance, organizations can benefit from ongoing support and consultation. This support can include establishing a feedback mechanism to address any questions or difficulties that arise during implementation or post-compliance.
PCI-DSS 4.0 offers more flexibility to customise implementations via the use of different technologies or methodologies. Hosting in a 3rd party data centre like Equinix can bring a more robust approach to access control and allows deployment in over 92 countries.
By taking a considered approach and following these steps, you can significantly ease your transition to PCI-DSS 4.0, ensuring you not only comply with the new requirements but also enhance your overall data security posture.
