NonStop TBC 2024, MFA and PCI DSS 4.0

First off, a Big Thank you to the CONNECT team – Kelly, Kristi and Stacie – for organising this year’s NonStop TBC in Monterey.

This year marks the 50^th anniversary of Tandem/NonStop. Quite an achievement!

When I started my career in the NonStop business some 30 years ago, there were predictions that the Tandem platform would cease to exist! While some users did indeed go off the platform (a painful process!) or tried to, others remained on NonStop. It is these users who formed a strong NonStop user community, and it’s still going strong to this day. The NonStop TBC in Monterey was a testament to that!

It’s always a great pleasure to discuss requirements with customers and prospects in person. In addition to being a Platinum Sponsor of the event, comforte gave two well-attended talks:

1. Gustavo Martinez – Introduction to comforte MFA (Multi-Factor Authentication). MFA is a mandated PCI DSS 4.0 requirement, and comforte has implemented MFA functionality on HPE NonStop to help our customers meet PCI 4.0 requirements and provide new options to enhance the security of the HPE NonStop platform.
2. Steve Kubick and John Russell – PCI DSS 4.0 – Get ready cause here I come! The PCI DSS 4.0 effective date is looming (31 March 2025), and comforte has partnered with ACI Worldwide to help their customers to achieve PCI DSS compliance.

PCI DSS is an important aspect of comforte’s business, and the following article explains how we can help financial institutions prepare for PCI DSS 4.0.

Preparing for PCI DSS 4.0: Five Steps to Get Financial Institutions Ready

For two decades, the payments security industry body, the PCI Security Standards Council (PCI SSC), has demanded compliance with an ever-growing set of rigorous technical and operational requirements to protect cardholder data. PCI DSS 4.0 is the biggest update to its payment card industry data security standard since its inception in 2004. It applies to any organisation that accepts, processes, stores or transmits card data—which means most financial institutions.

But with so much on their to-do list, what should financial services firms prioritise to accelerate compliance before the 31 March 2025 deadline?

What’s new in PCI DSS 4.0?

PCI DSS 4.0 was designed to move with the times—not an easy feat in a world where threat actor innovation is moving as fast as enterprise digital transformation. That’s why it introduces a series of new requirements designed to ensure complying banks are as secure as they can be. In fact, the banking industry is a prime target for data breaches, given the huge quantity of card details and personally identifiable information (PII) it stores. According to one recent study, the sector was the most breached in 2023, overtaking healthcare with over a quarter (27%) of recorded incidents.

In this context, some of the key changes from the previous PCI DSS iteration are:

1. A larger range of acceptable network security controls that can be used instead of firewalls
2. A new requirement to deploy multi-factor authentication (MFA) for access into the cardholder data environment (CDE)
3. Greater flexibility in demonstrating compliance with security objectives
4. New targeted risk analyses, designed to give complying organisations more flexibility in how frequently they perform certain activities

With a mission to keep pace with the ever-changing card industry, technology and threat landscape, PCI DSS 4.0 was designed to:

1. Provide greater flexibility in the technologies organisations can use to achieve compliance
2. Promote continuous security rather than treating compliance/security as a tick-box endeavour
3. Enhance validation methods and procedures

Five steps to get started

There are over 50 new requirements in PCI DSS 4.0. Some will be easier to meet than others. To get started, consider the following:

1. Perform a readiness assessment
   Get an in-house or third-party expert to assess the scope of the organisation’s PCI DSS compliance program and check if it’s correct. Anything done at this stage to reduce the scope (like removing unnecessary hardware/software components) will also help to reduce cost and minimise the attack surface. This initial process should identify any gaps and deliver a roadmap for compliance.
2. Update training and awareness programs
   Many organisations forget that a critical component of PCI DSS success is its people. Staff need to be regularly updated on the latest security threats and how to identify and handle them. That’s because, each passing month, threat actors devise new ways to compromise CDEs. Training lessons should include real-world attack simulations and be fairly short (10-15 minutes) but frequent.
3. Develop the right policies and procedures
   This is perhaps the most important step, as policy is the bedrock of any compliance strategy. It will require documenting a set of written procedures that explain how the organisation manages its CDE. Include information security, incident response and user awareness and training as a starting point.
4. Get granular with technical controls
   PCI DSS 4.0 is highly granular in its required technical controls. There will also be some updates there from previous versions, like MFA, anti-phishing procedures, authenticating internal vulnerability scanning, and anti-e-skimming measures. Remember: the devil is in the detail.
5. Perform continuous monitoring
   PCI DSS 4.0 is all about security as a continuous process rather than a point-in-time compliance play. One of the best ways to achieve this is through continuous monitoring of security controls and the CDE. The former will assess and flag any non-performant controls for remediation, while the latter will ensure any new data appearing in the CDE is automatically protected.

Consider comforte’s Data Security Platform here. It uses AI technology to automatically discover, classify and protect (in line with policy) any sensitive data, wherever it is being stored across the organisation—including in cloud environments. This is essential given the increasingly distributed nature of banking IT infrastructure today and the rigorous requirements of PCI DSS 4.0.

In it for the long term.

As always, the effort needed to attain PCI DSS compliance will be significant. But so will the rewards. This is not just about mitigating the risk of major compliance fines. It is about building a more secure enterprise data environment. That will stand the organisation in good stead, not just with the PCI SSC, but with other regulations—from GDPR to CCPA and beyond.

Case Study: City Fresko achieves PCI-DSS compliance with tokenisation

Click the button below to download the case study: