The six significant changes introduced in PCI DSS 4.0 are:

1. Customized implementation: Empowers organizations to select the most suitable methods and technologies to achieve their security objectives, provided they can substantiate and document efficacy. This flexibility enables firms to embrace innovative compliance strategies freely.

2. Security as a continuous process: Firms must monitor and evaluate their security posture, including that of their supply chain, on an ongoing basis, and undertake validation activities at least annually or in response to significant changes.

3. Strong authentication and encryption: Firms must monitor and evaluate their security posture, including that of their supply chain, on an ongoing basis, and undertake validation activities at least annually or in response to significant changes.

4. Secure system components: Scope-wise, PCI DSS will cover any system components used to capture, process, or store cardholder data.

5. Advanced and diverse payment fraud detection: Organizations must use more advanced and varied techniques for detecting and preventing fraud, such as tokenization, point-to-point encryption, and biometrics.

6. Continual compliance: : Organizations must continuously assess their security posture and document their control effectiveness rather than annually.

Here are five recommended application security best practices that every organization using payment cards should adopt.

• Identify and list all bespoke and custom software and any third-party software integrated into your organization’s bespoke and custom software. This process enables effective management of vulnerabilities and patches. API protection measures should also be implemented to discover inventory and remediate vulnerabilities in APIs responsible for processing, receiving, transmitting, and storing cardholder data.
• Use more advanced and diverse techniques to detect and prevent fraud, such as bot detection and management to prevent unauthorized and malicious automation.
• Using web browser-based applications to capture cardholder data can expose data to unauthorized parties. Malicious client-side scripts (JavaScript), often injected into the end user’s browser and application experience by cybercriminals, pose a significant risk. To address this, organizations should ensure policies are in place only to allow authorized scripts to interact with a payment web page. Additionally, they should restrict the locations from which a payment page can be loaded, and use the content security policy of the parent page to prevent unauthorized content from replacing the payment page.
• Monitor and block unintended behavior within an application. Runtime application self-protection technology can detect and block anomalous behavior by the entire software and application stack during execution.
• Establish the ability to automatically identify and prevent web-based attacks. This can be achieved by deploying a Web Application Firewall that extends to comprehensively protect APIs in front of public-facing web applications.

A robust application security strategy is integral to PCI DSS 4.0 and more than a compliance checkbox. Firms should incorporate application security best practices to ensure there is a critical line of defense for their most valuable asset: data.

In creating a holistic security strategy that combines application and data security controls, businesses can streamline compliance and position themselves to improve data protection and avoid costly breaches.