PCI DSS v4.0: What you need to know
Paul Traill, Head of Risk and Compliance
In March 2022, the PCI DSS Security Standards Council launched the long-awaited update to the standard, with Version 4.0. This is a significant amendment and is likely to have a major impact on regulatory compliance in the payment card industry.
With this new version, the Council has tried to meet four goals:
- Continue to meet and match the security requirements needed to combat real and ongoing threats.
- Ensure that security controls are applied as a continuous process.
- Add compliance reporting flexibility, to support technology innovations such as those that are occurring in the cloud and virtualised space.
- Re-align and enhance compliance validation in support of transparency and granularity.
So, what does this all mean for Merchants and Service Providers?
First of all, there is no need to panic. Transitioning to Version 4.0 will not be an overnight process; in many cases, it will need careful planning and coordination. As such, Version 3.2.1 (current) can still be used until it is retired in March 2024. However, while this feels like a long way off into the future, some of the changes being introduced means it is strongly advised to start planning for this now.
The move to Version 4.0 could include some big projects and will require:
- Thinking about required resources, implementation lead times, buy-in and support from senior management, and budget cycles.
- Determining where your organisation is today and where it needs to be in 2024, perhaps with a v3.2.1 vs. v4.0 gap assessment?
- Starting to plan and communicate with your Assessor so you will be ready in 2 years’ time.
Compliance validation possibilities
One of the biggest changes the Council has introduced, other than for specific controls, is to include a new method of implementing and validating PCI DSS compliance. In past and current versions, the ‘defined approach’ is used; this refers to specific requirements and testing procedures as defined within the standard itself.
With the release of Version 4.0 there is now also the ‘customised approach’; this allows entities to focus on specific control objectives rather than the traditional method (‘defined approach’) of implementation. So, a different control could be implemented for a specific requirement as long as it matches the intent and has been formally risk assessed.
A word of caution here: While the ‘customised approach’ will provide much greater flexibility for entities using different ways to achieve security, it is really intended for very risk-mature organisations. The level of documentation and effort that will be required both for the entity and the assessor to validate a control will be much greater.
New guidance and clarifications
Version 4.0 of the standard document itself introduces a large amount of new guidance and clarifications. It is a 360-page artefact, so not a light read by any means, but still worth looking at specific introductory or appendices sections if there is an aspect you are unsure about. You can also ask your Assessor as well, of course!
Of the numerous new controls included some of the more significant ones are:
- Two new preventative and detective controls focused on protecting against phishing attacks.
- Two new controls targeted on addressing e-commerce skimming threats by authorising and strictly controlling all payment page scripts.
- Major focus on risks associated with Service Accounts, including periodic change of passwords.
- Multi-Factor Authentication (MFA) now required for all access into the Cardholder Data Environment.
- Detect and alert on failures of critical security control systems.
- Major uplift in inventory documentation (e.g. trusted keys and digital certificates, software, cryptography cipher suites / protocols).
An example of the changes
As an example of how Version 4.0’s new controls can have an impact across all entities, even the shortest Self-Assessment Questionnaire—(SAQ A) used for an ‘outsourced’ web payment channel—includes some of these new assessment controls, as well as the need for external vulnerability scanning. In previous versions this has not been the case, but with increasing and evolving threats, staying abreast of vulnerabilities it vital:
Supporting your journey towards compliance with Version 4.0
For further information about all of the new PCI DSS Version 4.0 requirements and how this could impact your organisation, contact us.
At PGI, we’re proud to be among a select group of assessors recognised and acknowledged by the PCI Security Standards Council (SSC) for expertise, experience, and professionalism in the field of payment card data security.