PCI DSS v4.0: What you need to know
PGI's Head of Risk and Compliance, Paul Traill, takes us through the key changes to the PCI DSS in Version 4.0
In March 2022, the PCI DSS Security Standards Council launched the long-awaited update to the standard, with Version 4.0. This is a significant amendment and is likely to have a major impact on regulatory compliance in the payment card industry, especially as it will become the standard by March 2024 and you will not be able to use the previous versions after that time. You will still be able to use the previous version (V3.2.1) until it is retired in March 2024, but some of the changes being introduced means it is strongly advised to start transitioning to Version 4.0 as soon as possible. With this new version, the Council has tried to meet four goals:
First of all, there is no need to panic. Transitioning to Version 4.0 will not be an overnight process; in many cases, it will need careful planning and coordination. The move could include some big projects and will require:
One of the biggest changes the Council has introduced, other than for specific controls, is to include a new method of implementing and validating PCI DSS compliance. In past and current versions, the ‘defined approach’ is used; this refers to specific requirements and testing procedures as defined within the standard itself.
With the release of Version 4.0 there is now also the ‘customised approach’; this allows your organisation to focus on specific control objectives rather than the traditional method (‘defined approach’) of implementation. So, a different control could be implemented for a specific requirement as long as it matches the intent and has been formally risk assessed.
A word of caution here: While the ‘customised approach’ will provide much greater flexibility for entities using different ways to achieve security, it is intended for organisations whoa re already risk-mature. The level of documentation and effort that will be required both for the entity and the assessor to validate a control will be much greater.
Version 4.0 of the standard document introduces a large amount of new guidance and clarifications. It is a 360-page artefact, so not a light read by any means, but it’s still worth looking at specific introductory or appendices sections if there is an aspect you are unsure about. You can also ask your Assessor as well, of course!
Of the numerous new controls included some of the more significant ones are:
Version 4.0’s new controls can have an impact across all entities, even the shortest Self-Assessment Questionnaire (SAQ A which is used for an ‘outsourced’ web payment channel) includes some of these new assessment controls, as well as the need for external vulnerability scanning. In previous versions this has not been the case, but with increasing and evolving threats, staying aware of vulnerabilities is vital:
For further information about all of the new PCI DSS Version 4.0 requirements and how this could impact your organisation, contact us.
At PGI, we’re proud to be among a select group of assessors recognised and acknowledged by the PCI Security Standards Council (SSC) for expertise, experience, and professionalism in the field of payment card data security.
Over the years, we have developed a range of content with the aim of educating organisations on cyber security threats and helping them defend their assets and reputation, so for us every month is Cyber Security Awareness Month.
On 26 September, Semafor published a lengthy article written by Jay Solomon claiming that a series of Iranian-American analysts and advisors to the Biden administration had been compromised as part of a long-running Iranian influence operation.
These days, there seems to be a variety of digital technologies on the horizon that are poised to disrupt the way we live our everyday lives.