PCI DSS v4.0: What you need to know

In March 2022, the PCI DSS Security Standards Council launched the long-awaited update to the standard, with Version 4.0. This is a significant amendment and is likely to have a major impact on regulatory compliance in the payment card industry, especially as it will become the standard by March 2024 and you will not be able to use the previous versions after that time. You will still be able to use the previous version (V3.2.1) until it is retired in March 2024, but some of the changes being introduced means it is strongly advised to start transitioning to Version 4.0 as soon as possible. With this new version, the Council has tried to meet four goals:

• Continue to meet and match the security requirements needed to combat real and ongoing threats.
• Ensure that security controls are applied as a continuous process.
• Add compliance reporting flexibility, to support technology innovations such as those that are occurring in the cloud and virtualised space.
• Re-align and enhance compliance validation in support of transparency and granularity.

So, what does this all mean for Merchants and Service Providers?

First of all, there is no need to panic. Transitioning to Version 4.0 will not be an overnight process; in many cases, it will need careful planning and coordination. The move could include some big projects and will require:

• Thinking about required resources, implementation lead times, buy-in and support from senior management, and budget cycles.
• Determining where your organisation is today, and where it needs to be in 2024. This is where a v3.2.1 vs. v4.0 gap assessment could be useful.
• Starting to plan and communicate with your Assessor so you will be ready by March 2024.

Compliance validation possibilities

One of the biggest changes the Council has introduced, other than for specific controls, is to include a new method of implementing and validating PCI DSS compliance. In past and current versions, the ‘defined approach’ is used; this refers to specific requirements and testing procedures as defined within the standard itself.

With the release of Version 4.0 there is now also the ‘customised approach’; this allows your organisation to focus on specific control objectives rather than the traditional method (‘defined approach’) of implementation. So, a different control could be implemented for a specific requirement as long as it matches the intent and has been formally risk assessed.

A word of caution here: While the ‘customised approach’ will provide much greater flexibility for entities using different ways to achieve security, it is intended for organisations whoa re already risk-mature. The level of documentation and effort that will be required both for the entity and the assessor to validate a control will be much greater.

New guidance and clarifications

Version 4.0 of the standard document introduces a large amount of new guidance and clarifications. It is a 360-page artefact, so not a light read by any means, but it’s still worth looking at specific introductory or appendices sections if there is an aspect you are unsure about. You can also ask your Assessor as well, of course!

Of the numerous new controls included some of the more significant ones are:

• Two new preventative and detective controls focused on protecting against phishing attacks.
• Two new controls targeted on addressing e-commerce skimming threats by authorising and strictly controlling all payment page scripts.
• Major focus on risks associated with Service Accounts, including periodic change of passwords.
• Multi-Factor Authentication (MFA) now required for all access into the Cardholder Data Environment.
• Detect and alert on failures of critical security control systems.
• Major uplift in inventory documentation (e.g. trusted keys and digital certificates, software, cryptography cipher suites/protocols).

An example of the changes

Version 4.0’s new controls can have an impact across all entities, even the shortest Self-Assessment Questionnaire (SAQ A which is used for an ‘outsourced’ web payment channel) includes some of these new assessment controls, as well as the need for external vulnerability scanning. In previous versions this has not been the case, but with increasing and evolving threats, staying aware of vulnerabilities is vital:

Supporting your journey towards compliance with Version 4.0

For further information about all of the new PCI DSS Version 4.0 requirements and how this could impact your organisation, contact us.

At PGI, we’re proud to be among a select group of assessors recognised and acknowledged by the PCI Security Standards Council (SSC) for expertise, experience, and professionalism in the field of payment card data security.