Payment Card Industry Data Security Standards (PCI DSS)

PCI DSS Compliance

PCI DSS is a set of technical and operational requirements established by the PCI Security Standards Council to safeguard cardholder data. Compliance with PCI DSS is enforced by payment card brands and is mandatory for all organizations that handle cardholder data.

At UC Davis, we take PCI DSS compliance seriously and have implemented measures to protect cardholder data. Failure to comply with any of the PCI DSS requirements may result in:

Fines and penalties
Diminished sales
Lawsuits
Reputational damage
Higher subsequent costs of compliance

Release of PCI DSS v4.0.

PCI DSS Version 4.0 was officially released on March 31, 2022

This new version represents a significant update to the global standard for payment security, addressing emerging threats and technologies to better protect payment data. The release followed extensive feedback from the global payments industry, with over 200 organizations providing more than 6,000 items of feedback over three years

Key Changes and Impact:

Customized Approach:

Change: Introduction of a customized approach for meeting security objectives, allowing organizations to use innovative methods and technologies to meet the intent of PCI DSS requirements
Impact: Provides greater flexibility for organizations to implement security measures that best fit their unique environments and risk profiles.

Expanded Multi-Factor Authentication (MFA):

Change: Expansion of MFA requirements to include all access into the cardholder data environment, not just for remote access
Impact: Enhances the security of access controls, reducing the risk of unauthorized access to sensitive cardholder data.

Continuous Compliance:

Change: Emphasis on security as an ongoing process, encouraging organizations to continuously monitor and improve their security posture
Impact: Promotes a proactive approach to security, helping organizations stay ahead of evolving threats.

Stronger Encryption Standards:

Change: Updated encryption requirements to ensure stronger protection of cardholder data during transmission and storage
Impact: Enhances data protection, reducing the risk of data breaches and unauthorized access.

Support for Cloud Environments:

Change: New requirements and guidance for securing cardholder data in cloud environments
Impact: Addresses the increasing use of cloud services, ensuring that cardholder data remains secure in these environments.

Greater Emphasis on Risk Assessments:

Change: Increased focus on conducting regular risk assessments to identify and address potential security threats
Impact: Helps organizations identify vulnerabilities and implement appropriate security measures to mitigate risks.

Updated Terminology:

Change: Changes in terminology, such as updating "firewall" to "network security controls," to encompass a broader range of technologies
Impact: Ensures the standard remains relevant and applicable to modern technologies and security practices.

Implementation Timeline:

Transition Period: PCI DSS v3.2.1 will remain active until March 31, 2024, giving organizations time to transition to the new standard. At UC Davis, our PCI DSS Attestation of Compliance (AoC) is due to our acquiring bank every September, meaning we will be completing a v4.0 assessment in 2024 as v3.2.1 will no longer be active.

Release of PCI DSS v4.0.1

PCI DSS v4.0.1 is a limited revision of PCI DSS v4.0, primarily addressing stakeholder feedback and questions received since the release of v4.0 in March 2022. As with all new versions of PCI DSS, there will be a period where both the current and updated version will be active at the same time. PCI DSS v4.0 will be retired on December 31, 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard that organizations must comply with.

Upcoming PCI DSS Requirements Effective March 31, 2025

As of March 31, 2025, several best practice requirements from PCI DSS v4.0 will become mandatory. These changes are designed to address emerging threats and ensure robust protection of cardholder data.

Key Requirements Becoming Mandatory:

Multi-Factor Authentication (MFA):

Requirement: Implement MFA for all access into the cardholder data environment.
Impact: Enhances access control security, reducing the risk of unauthorized access

Payment Page Script Security:

Requirement: Ensure the authenticity and authorization of every third-party script enabled on the checkout page, with a documented inventory and justification for each script.
Impact: Protects against web skimming, e-skimming, and form jacking attacks

Enhanced Web Protection:

Requirement: Implement a Web Application Firewall (WAF) on public-facing web applications.
Impact: Provides an additional layer of security to protect against web-based attacks

Automated Audit Log Reviews:

Requirement: Conduct automated reviews of audit logs to detect and respond to security incidents.
Impact: Improves the ability to identify and respond to potential security breaches

Authenticated Internal Vulnerability Scans:

Requirement: Perform authenticated internal vulnerability scans to identify and address security weaknesses.
Impact: Enhances the detection and remediation of vulnerabilities within the internal network

Management of Cryptographic Keys and Certificates:

Requirement: Maintain inventories of certificates and keys, and ensure proper management and usage.
Impact: Strengthens the security of cryptographic processes and protects sensitive data

No Hard-Coded Passwords:

Requirement: Ensure that no hard-coded passwords are used in scripts or configuration files.
Impact: Reduces the risk of unauthorized access due to exposed credentials

Security Awareness Program:

Requirement: Include training on phishing, social engineering, and acceptable use of technologies, with annual reviews of the program.
Impact: Enhances employee awareness and preparedness against common security threats