IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New MFA security standards for online payments come into force

Version 4.0 of PCI DSS also reforms password requirements and broadens its terminology to address other network access controls

Man holding credit card making online payment on a tablet

Companies accepting credit card payments online have a new set of standards to abide by as of today.

The Payment Card Industry Security Standards Council has issued version 4.0 of its PCI Data Security Standard (PCI DSS), a standard defining security measures to protect payment card information.

Related Resource

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

The whitepaper title on a strip of swirling blue and purple diagonal across the pageFree download

Anyone holding this data, such as online retailers or service providers, must comply with the standard.

The new version of PCI DSS features several changes. It expands its access control requirements to make multi-factor authentication (MFA) mandatory for all access into the cardholder data environment, and also updates password requirements.

Companies following the standard will also have to implement new protections against phishing attacks.

The latest document also introduces more flexibility for organizations to demonstrate their compliance. Whereas the previous version focused on firewall protection, version 4.0 has broadened its terminology to address other network security controls.

The Council has also added support for targeted risk analyses. These let companies define how frequently they perform some security-related activities, it said.

The PCI will translate the new version of PCI DSS into different languages over the next few months. Assessors - the companies that verify compliance with the standard - also have to train in the new version.

The current version, 3.2.1, will remain active until 31 March 2024, the Council said. After that, version 4.0 will be the only active version of the standard. Some requirements in the new version are defined as best practices, but will become mandatory. Organizations will have an extra year - until March 31 2025 - to phase those in.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023