In the past six months, we’ve seen many changes in the government and legal landscape, including the war in Ukraine, abolishment of federal laws, transformation of government regulations, threats of cyberwar and much more.  

It’s important for financial institutions to take a proactive approach to their cybersecurity. Earning compliance certifications, taking preventative measures like penetration tests and vulnerability scans, and continuous monitoring are crucial to all institutions, regardless of size.  It’s important to understand how your IT systems would hold up in a real-world attack scenario, which is quite valuable given the current global threat environment.    

Let’s dive into PCI DSS to learn how the recent framework changes will aid financial institutions in best navigating the duration of 2022 and why penetration testing will further secure your customers data. 

PCI DSS 4.0 redesigns requirements to better clarify security intent 

On March 31, 2022, the PCI Standards Security Council (PCI SSC) updated the PCI Data Security Standard (PCI DSS), which is the information security standard used by retailers and financial organizations to protect sensitive cardholder data.  

Hundreds of pages longer than the previous version, the new standard is considered a major update and is a significant revision of PCI DSS v3.2.1. Moving forward, organizations can expect most requirements to have some level of alteration — from changes to requirement number, location, and wording, to new requirements and testing procedures.   

PCI DSS v4.0 maintains its core structure of 12 PCI DSS requirement sections. However, it features significant changes to the requirement layout and in many cases to the wording itself. Some requirements were relocated to new sections to better suit its purpose and objective. You will also find requirements that have been redesigned to better clarify its security intent and provide additional guidance on how security controls should be implemented.  

PCI DSS v4.0 and PCI DSS v3.2.1 standards will both be valid standards available to organizations until March 31, 2024. After which, only PCI DSS v4.0 assessments will be allowed. Also, most new requirements (which include others not listed above) will be a best practice until 2025.   

The PCI SSC is still working to release supporting documents to assessor companies and provide training to all assessors before they can perform any PCI DSS v4.0 assessment.  

Information Security teams can’t let their guard down, even a little  

Microsoft identified and issued fixes for 55 different zero-day vulnerabilities in June 2022. Whenever there’s a large security update from a major vendor, we always see an uptick in pen test projects. Pen testing is a critical part of a financial institution’s security posture, but it’s not a silver bullet. All too often, we find unpatched systems, security misconfigurations, and other infrastructure-level errors that should be caught well before an attacker exploits them. With the escalating threats we are seeing so far this year, IT security teams need to be extra diligent in the remainder of 2022.   

Now is the time to prepare  

Working in the financial services industry means that your institution will need to closely follow compliance framework changes, practice continuous monitoring and strictly adhere to regulations.  This oftentimes results in institutions wasting valuable time and resources conducting audits in an inefficient manner. A-SCEND, A-LIGNs compliance management and audit automation software, deduplicates efforts and helps your institution to streamline the audit process.  This SaaS platform allows users to upload evidence and reuse across multiple efforts, transforming the audit process into a well-planned initiative.   

For more information on how A-LIGN can help your organization achieve compliance, contact us today.