Episode 407: Understanding the New PCI Standards for Higher Ed

The latest version of the Payment Card Industry Data Security Standard (PCI DSS) was recently released and higher ed institutions should start preparing to comply. Adherence to the new PCI DSS 4.0 will require colleges and universities to update how they manage PCI compliance campuswide. To outline the major points of the new standards and how to approach, FOCUS podcast invited Walid Barakat to share his expertise on the subject. Barakat is the senior vice president of IT governance, risk, and compliance at Global Payments, where he and his team are responsible for PCI compliance, merchant compliance, IT risks, and cloud business.

What is PCI DSS 4.0?
Like past standards, PCI DSS 4.0 is a set of payment security regulations for organizations (merchants) that process transactions with payments cards. Merchants are partnered with an assessor to understand the maturity level of their security and advise in ways to strengthen security programs. PCI DSS 4.0 is a complete rewrite of the existing 3.2.1 standard, created with feedback from the PCI community. Requirements have been restructured to include the intent behind them and how to validate them. With this fresh new look at security standards, the goal of PCI DSS 4.0 is to ensure security year-round.

“There are some new requirements to really drive best practices, recommendations, and enhanced accountability for organizations to maintain compliance year-round,” said Bakarat. “Not just when it's time for the assessment, or working directly with an assessor.”

What institutions can expect
The latest version of PCI standards includes clearer requirements, more testing guidance, and the opportunity for institutions to work with an assessor to tailor the validation approach to their unique environment. The new regulations place greater ownership on merchants, encouraging campuses to review their security posture to see how controls are being met.

When it comes to the timing of PCI DSS 4.0 implementation, institutions are offered a multi-phase approach. The first phase begins in March 2024 with a small set of requirements focused on defining roles and responsibilities and higher-level risk posture. This will set them up for remaining requirements that will become effective in March 2025.

Institutions will need to minimize their security profile, which can be done with multi-factor authentication (MFA). Ensuring that MFA, appropriate security controls, and firewalls are properly in place and documented minimizes the scope and threat vector for PCI assessing and overall security risk.

The PCI Council has made PCI DSS 4.0 available to the public, which means anyone who accesses the council website can easily confirm how they’ve been using documentation, see a comparison to prior standards, and see published awareness documents and FAQs.

The importance of assessors and ISAs
Barakat suggests two ways for institutions to go about processing PCI DSS 4.0 and moving towards compliance. The first is to take advantage of the time between now and 2024 to partner with the assessor to understand what the current security posture is and take their guidance under consideration. The assessor will be able to show institutions where they might need to provide additional emphasis and maturity in controls.

The second approach is training current staff members to become internal security assessors (ISAs). With an ISA, institutions are able to have someone who already knows the ins and outs of systems be trained by the PCI Council’s program to understand standards, the overall PCI process, and what is needed for reports on compliance. The council will also offer free PCI DSS 4.0 training to all ISAs, making it even easier for compliance to take place.

Final advice
Barakat’s final advice to colleges and universities is to always have defined roles and responsibilities among staff and make sure everyone is able to understand how their daily tasks add to compliance. He also advises institutions to make good use of documentation for more streamlined assessments. A transparent relationship with the assessor and listening to their guidance throughout the entire year are also key. Find additional resources on PCI DSS 4.0 here.

Looking for tips on how to build a strong PCI foundation? Download TouchNet’s PCI Explained eBook for an introduction to payment card terminology, how payments are processed, and best practices in building resources and processes vital to streamlining PCI compliance.

Special Guest: Walid Barakat.