With over 400 PCI requirements, PCI DSS 4.0 presents new challenges, many of which will affect your security training for developers. Whether you're a merchant or service provider dealing with credit card data we highlight some of the important aspects to be aware of when preparing your team, training, and processes. Insights provided from our amazing panelists on our Wizer Webinar: PCI DSS 4.0 Decoded. Hear the full conversation here.
PCI DSS 4.0 Compliance: Who Is It For?
Figuring out who needs to follow Payment Card Industry (PCI) standards boils down to whether a company deals with cardholder data in any way – that's receiving, storing, processing, or sending it. If you handle cardholder data, you're likely to be on the hook for compliance at some point. If you're a seller, your bank should reach out to you and hand you a PCI pack that lays out what you need to do - READ IT!
Even if you weren't told about PCI compliance, you're still legally responsible. If you handle devices with PCI data, you have to follow the rules, and waiting to be told isn't an excuse.
Does Non-Compliance For PCI DSS 4.0 Land Me In Jail?
One common misconception around PCI is that it’s often called a law, but it's actually a contract from card brands. To be a law or regulation, it has to come from Congress or a government agency. So while you won't go to jail if you fail to be compliant, your company is at risk of going out of business. In 2024, with security being such a huge focus, judges won't be so forgiving for non-compliance in this area.
What If I Use A Third Party App Like Stripe or Box?
Imagine you're a startup or a store using services like Box or Stripe. You might wonder if PCI DSS 4.0 compliance is necessary when you're just using the third party service to process card payments. While the third party will handle the security of processing payments within its app, your site must still be properly secured to ensure no backdoors to the data is left open. A secure checkout page is a must, regardless of the payment processor, due to potential vulnerabilities.
Responsibility can be outsourced, but liability cannot, even with third-party providers, as outlined in cloud providers' responsibilities but that often go unread in manuals.
Is SOC2 Enough to be Compliant for PCI DSS 4.0?
The deal is, according to PCI Council rules, SOC2 doesn't quite cut it for PCI compliance. PCI assessments need way more detail, like digging into techie stuff such as firewall configurations, open ports, review frequency, and distinguishing between outbound and inbound traffic among other things. Simply put, PCI demands a much deeper dive compared to other security standards like SOC2.
Using PCI DSS 4.0 As A Metric To Ensure Security
In discussing security baselines among compliance standards, PCI DSS 4.0 stands out for its robustness. The 12 requirements cover various aspects highlighting secure coding and training as well as aligns with frameworks like NIST and CMMC. PCI offers clear guidance on each control, providing a solid foundation for security, even if not handling credit card data.
Following PCI's best practices is beneficial for maintaining security across an organization, regardless of the specific data involved. This approach offers clarity, especially for those with limited knowledge, allowing them to adhere to established guidelines rather than making guesses.
Customizing PCI DSS 4.0: Is It Right For You?
With the PCI DSS 4.0 changes come the ability to customize - which is great on the one hand but it’s important to understand the scope of what is involved to do so. It can come with a significant cost in time and money and implementation is not so simple. For large enterprises with mature processes, experienced personnel, and well-tuned tools, it may be a great option. Just be sure to provide a solid justification to your leadership team for pursuing this route. However, for environments that lack these elements, it’s recommended to build something that meets the defined control.
Using Best Practices For Secure Coding
While it’s important to rate code vulnerabilities, a common mistake is overlooking the ‘small’ vulns because the reality is all the small issues in coding securely can add up to significant breaches. Despite some aspects relying on automated tools, the overall emphasis of the PCI DSS 4.0 on education and secure coding practices is a big positive step forward.
Also, the new requirements will push developers to advance their knowledge beyond the basics. OWASP Top 10 training for developers is a good start, but it’s not enough to provide the in-depth knowledge of more advanced scripts that coders will have to learn to protect against. So it will be critical to ensure your team has access to secure coding training for developers that educates on specific types of common attacks.
In short, there are lots of positive benefits with the PCI DSS 4.0 to ensure your developer team stays on top of secure coding practices for safeguarding your clients' payment data. Looking for a quick reference sheet to provide your development team? Get our free download of PCI DSS 4.0 in Plain English for developers.
Looking for a simple and effective way to help your dev team boost their secure code training? Wizer’s Secure Code Training for Developers provides all-in-one solutions for secure coding, like developer training, code labs, and challenges made just for developers. Learning secure coding isn't automatic with experience - we help bridge the gaps with dedicated training and fun challenges in small, manageable monthly learning sessions.
Learn more about Wizer’s secure code training for PCI DSS 4.0 here.
