PCI DSS v4.0: Examining Updates and New Requirements | CHEQ

On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) unveiled version 4.0 of the globally acknowledged Payment Card Industry Data Security Standard (PCI DSS). 

Succeeding PCI DSS v3.2.1, the introduction of v4.0 signifies not merely an update, but a significant overhaul of the standard. It has been sculpted over the course of four years, with the collaboration of over 200 organizations contributing more than 6,000 pieces of feedback. 

PCI DSS v4.0 isn’t just about tackling contemporary security threats. It also paves the way for more innovative solutions to these challenges. With a shift towards outcome-based requirements, the updated standard promotes a more proactive, tailored approach to data security. 

In this blog post, we’ll provide a high-level overview of the changes in PCI DSS v4.0 with a special focus on significant changes. For a comprehensive list of updates and changes, check out the official PCI DSS Summary of Changes document, available here. 

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was established by major credit card companies like Visa, MasterCard, American Express, Discover, and JCB, who jointly formed the Payment Card Industry Security Standards Council (PCI SSC).

The PCI DSS standard includes 12 requirements for any business that processes credit card transactions. These requirements can be classified into six categories:

  1. Build and Maintain a Secure Network and Systems:
    • Install and maintain a firewall configuration to protect cardholder data.
    • Do not use vendor-supplied defaults for system passwords and other security parameters.
  2. Protect Cardholder Data:
    • Protect stored cardholder data.
    • Encrypt transmission of cardholder data across open, public networks.
  3. Maintain a Vulnerability Management Program:
    • Protect all system components against malware and regularly update anti-virus software or programs.
    • Develop and maintain secure systems and applications.
  4. Implement Strong Access Control Measures:
    • Restrict access to cardholder data by business need to know.
    • Identify and authenticate access to system components.
    • Restrict physical access to cardholder data.
  5. Regularly Monitor and Test Networks:
    • Track and monitor all access to network resources and cardholder data.
    • Regularly test security systems and processes.
  6. Maintain an Information Security Policy:
    • Maintain a policy that addresses information security for all personnel.

The aim of the PCI DSS is to reduce the risk of debit and credit card data loss. Companies that do not comply with PCI DSS can face penalties, fines, or even lose their ability to process credit card payments.

What is PCI DSS v4.0?

PCI DSS v4.0, the latest update to the payment card industry standard, introduces important changes. The focus is now more on sustaining continuous security and incorporating new ways to meet requirements. This version aims to keep up with the ever-changing payment card industry and the constant emergence of new technologies.

Related: How Cybercriminals Target eCommerce Shopping Carts

The Four Objectives of PCI DSS v4.0 

The 12 core requirements of PCI DSS remain largely the same from v3.2.1 to v4.0. However, v4.0 places a new emphasis on how these security measures should be put into practice. The main objectives of v4.0 are:

  1. Meeting the evolving security needs of the payments industry. This includes broader multi-factor authentication requirements, updated password rules, and new e-commerce and phishing requirements to tackle ongoing threats.
  2. Promoting security as an ongoing process. The new version assigns clear roles and responsibilities for each requirement and provides additional guidance to help with implementing and maintaining security.
  3. Providing flexibility to organizations using diverse methods to achieve security goals. It introduces allowances for group, shared, and generic accounts. Risk analyses are more targeted, helping organizations decide how frequently to perform certain activities. A new ‘Customized Approach’ allows organizations to implement and validate PCI DSS requirements in innovative ways.
  4. Enhancing validation methods and procedures. The alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance is improved.

An Overview of Changes in PCI DSS v4.0

Enhanced Requirements for Passwords, Multi-Factor Authentication, and Identity & Access Management

In the quest to secure cardholder data, PCI DSS v4.0 introduces improved requirements around password management, multi-factor authentication (MFA), and identity & access management.

The new password requirements for application and system accounts now demand more robust password length, complexity, and frequency of changes. The specifics include: a minimum password length of 12 characters (up from the previous 7), a mix of numeric and alphabetic characters for complexity, a maximum of 10 failed login attempts before lockout (previously 6 attempts), a minimum lockout duration of 30 minutes, and password changes every 90 days with history tracking the previous four passwords. Importantly, PCI DSS v4.0 offers additional ways to meet the 90-day expiration requirement. It now recognizes the use of MFA or real-time dynamic analysis of a user account’s security posture based on a zero-trust architecture as acceptable means to satisfy this control.

The updated standard also brings added clarity to the application of MFA. MFA is now required for remote access into the cardholder data environment (CDE), and when remote access is granted outside the CDE, an additional MFA control is required to gain access to the CDE from that network. This clarification is particularly important as the standard now explicitly states that MFA is also required for networks that have access to the CDE, where interconnected systems exist.

Annual Scoping Exercises and Targeted Risk Analysis

Under the previous PCI DSS 3.2.1 instructions, organizations were advised to undertake an annual scoping exercise. However, it was up to the organization being assessed to confirm that this exercise was carried out correctly. With the introduction of PCI DSS v4.0, this annual scoping exercise has become a formal requirement. This means it will now be validated by an assessor as part of the new stipulations within the standard.

Requirements for risk assessments have also changed. Instead of relying on a singular risk assessment process, PCI DSS v4.0 now demands a more nuanced approach. Organizations are required to conduct targeted risk analyses for all requirements where there’s a degree of flexibility. These targeted risk analyses need to be carried out at least once a year for every instance. For example, controls that are only required to be implemented “periodically” now come under this mandate. The outcomes of these targeted risk analyses must be documented and handed over to the assessor for review prior to the PCI assessment. 

Increased Security Requirements for Web Applications, HTTP Headers, and Payment Page Scripts

In response to the ever-evolving cybersecurity landscape, PCI DSS v4.0 introduces stricter regulations for public-facing web applications, HTTP headers, and payment page scripts.

For public-facing web applications, PCI DSS v4.0 mandates the continuous operation of an automated technical solution designed to detect and ward off web-based attacks. This solution must be placed in front of public-facing web applications and configured to either block web-based attacks or instantly generate alerts that trigger immediate investigations.

Related: Using the Cyber Kill Chain to Stop Magecart Attacks

To mitigate the potential damage of Magecart attacks, a new requirement has been introduced that necessitates a change and tamper-detection mechanism. This mechanism is to alert organizations about any unauthorized modifications to HTTP headers and the contents of payment pages as received by the consumer’s browser.

Further reinforcing these measures, organizations are now required to manage and maintain the integrity of all payment page scripts that are loaded and executed in the consumer’s browser. This includes any scripts pulled from third-party sites. This requirement underscores the need for robust controls to ensure the integrity and security of all elements interacting with a consumer’s browser, particularly in the sensitive area of payment transactions.

A New ‘Customized’ Approach to Implementation and Validation

PCI DSS v4.0 not only retains the existing prescriptive method for compliance but also introduces a fresh ‘Customized Approach’ to meeting requirements. This alternative approach allows organizations to use innovative technologies and methods to meet a control objective, even if they deviate from the predefined requirement approach. The primary aim here is to offer more flexibility to organizations, as long as they can demonstrate that their unique solution meets the objective of the PCI DSS requirement.

Related: What Data Loss Prevention (DLP) is a Marketing Problem

The Customized Approach necessitates more rigorous vetting and review compared to the previous ‘Compensating Controls’ model. It calls for comprehensive documentation, including a control matrix, and a targeted risk analysis. This ensures the organization has adequately addressed all associated risks and fulfilled the control objectives.

Key to understanding this significant shift is distinguishing ‘customized controls’ from ‘compensating controls.’ The latter are supplementary controls required when an organization can’t meet a requirement due to legitimate and documented technical or business constraints. In contrast, customized controls offer a flexible alternative to achieving strict requirements, paving the way for organizations to tailor their compliance to their specific needs.

This new methodology will be validated by an assessor. They will review the organization’s Customized Approach documentation, which includes a controls matrix and targeted risk analysis, and devise a procedure to validate the controls. This ensures the new flexible solutions align with the PCI DSS’s stringent security objectives.

When does PCI DSS v4.0 take effect?

PCI DSS v4.0 has been released and will run concurrently with PCI DSS v3.2.1 for a transition period of two years, starting from March 2022 to March 31, 2024. This timeline has been designed to give organizations the opportunity to familiarize themselves with the revisions in PCI DSS v4.0, adapt their reporting templates and forms, and strategize and implement changes to comply with the updated requirements.

After March 31, 2024, PCI DSS v3.2.1 will be retired, leaving PCI DSS v4.0 as the only active version of the standard. Assessors, once they have completed PCI DSS v4.0 training, will be able to conduct assessments using either version until this date.

Notably, PCI DSS v4.0 has introduced several new requirements. To allow organizations ample time to adopt these, they will have an additional year after the retirement of v3.2.1 to fully incorporate the requirements identified as future-dated in v4.0.

Until March 31, 2025, organizations won’t be obligated to validate these new requirements. Nevertheless, if organizations have already implemented controls to meet these new requirements, early assessment is encouraged.

Post-March 31, 2025, these future-dated requirements will become effective and must be fully included in any PCI DSS assessment. This approach ensures a seamless transition to the new standard while allowing organizations to pace their adoption of the new requirements.

Latest Posts

Ready to secure your
Go-to-Market efforts?

GET started