PCI DSS 4.0: What You Need to Know

What is PCI DSS v4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard that establishes adequate operational and technical criteria for account data protection. The next evolution of the standard PCI DSS v4.0 was released on March 31, 2022.

The latest revision of the PCI standard, PCI DSS v4.0, significantly changes the criteria while emphasizing ongoing security and including new approaches to comply with them. PCI DSS v4.0 replaces the PCI DSS version 3.2.1 in an effort to handle emerging threats and technologies strategically, offer innovative approaches for combating growing threats, and secure other elements in the payment ecosystem.

PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all payment card account processing entities – merchants, processors, acquirers, issuers, and other service providers.

The PCI DSS v3.2.1 will be in use for two years after the release of PCI DSS v4.0 on March 31, 2022. The goal of the transition period, which runs from March 31, 2022, to March 31, 2024, is to provide organizations adequate time to acquaint themselves with the PCI DSS v4.0 updates, update their reporting templates and forms, and plan and implement those updates. Some rules go into effect immediately, but the majority don't until March 31, 2025, giving organizations a full year to implement the challenging ones.

What’s New in PCI DSS v4.0?

The PCI DSS v4.0 updates intend to address the ever-evolving security requirements of the payments industry, promote security as a continuous process, boost flexibility, and enhance procedures for organizations employing various security-related approaches.

The latest version introduces several updates. For a comprehensive view, please refer to the Summary of Changes from PCI DSS v3.2.1 to v4.0, found in the PCI SSC Document Library.

Flexibility

The main change is adopting a completely new approach to meeting requirements dubbed the customized approach (flexibility). A customized strategy allows organizations to use cutting-edge technology and innovative controls to achieve the PCI DSS security criteria. As a result, enterprises can adhere to the stringent PCI DSS criteria more flexibly and personally.

The assessor will examine the entity's customized approach documents (including a controls matrix and a focused risk analysis) and create a procedure for evaluating the controls to confirm that the customized controls adhere to the PCI DSS requirements.

The distinction between customized controls and compensatory controls must be made clear. When an organization cannot meet a requirement for an acceptable and acknowledged technical or commercial restriction, compensating controls, also known as mitigating controls, are necessary. On the other hand, customized controls offer a flexible replacement for complying with rigid specifications.

Security & Authentication

Major updates have been made to security measures to continue to meet the security requirements of the payments sector, which must evolve as threats change. These include:

• adding authentication controls, such as stringent multi-factor authentication requirements when accessing the cardholder data environment
• updating password requirements, including the requirement to increase the password length from 8 characters to 12
• changes to shared, group, and generic account requirements
• clearly assigned roles and responsibilities for each requirement

Encryption

It is now necessary to only utilize disk-level or partition-level encryption to make the PAN unreadable on removable electronic media.

Monitoring

Merged requirements and updated the security monitoring systems to be monitored and responded to as part of the incident response plan.

Critical Control Testing Frequency

New requirement for all entities to detect, alert, and promptly address failures of critical security control systems. This requirement is a best practice until 31 March 2025.

Key PCI DSS Version 4.0 Requirement Updates

Build and Maintain a Secure Network and Systems

1. Install and Maintain Network Security Controls

Protecting sensitive payment card data requires installing and maintaining network security controls. These safeguards include strong firewalls, intrusion detection systems, and encryption methods to prevent data breaches and cyberattacks.

2. Apply Secure Configurations to All System Components

Malicious actors frequently attack systems using default vendor settings and passwords, both within and external to an organization. These passwords and settings are well-known and can be discovered using data that is readily accessible.

Applying secure configurations to all system components reduces an attacker's possibility of compromising the system. The possible attack surface can be decreased by changing default passwords, eliminating unnecessary software, functionalities, and accounts, and deactivating or uninstalling unnecessary services.

Protect Account Data

3. Protect Stored Account Data

Important elements of account data protection include encryption, truncation, masking, and hashing. Even if a hacker manages to get past other security measures and acquire encrypted account data, the hacker cannot access the data without the correct cryptographic keys. Examples of risk-reduction strategies include avoiding holding account information unless absolutely essential, truncating cardholder data when the entire PAN is not required, and refraining from providing unprotected PANs via end-user messaging platforms like email and instant messaging.

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Strong encryption increases the likelihood that data secrecy, integrity, and non-repudiation will be maintained. PAN must be encrypted while being transmitted via networks, especially untrusted and public networks, that are easy for hackers to access to prevent compromise. Since a network holds, processes, or transmits cardholder data, any transmissions of cardholder data through its internal network(s) will automatically subject it to PCI DSS. Any such networks must be evaluated and assessed in accordance with the relevant PCI DSS rules.

Maintain a Vulnerability Management Program

5. Protect All Systems and Networks from Malicious Software

Malicious software or firmware must be detected and removed to protect all systems and networks from malicious software. Examples of malicious software include viruses, worms, Trojans, spyware, ransomware, keyloggers, rootkits, malicious code, scripts, and links.

6. Develop and Maintain Secure Systems and Software

It's crucial to develop and maintain secure systems and software, as security vulnerabilities can be exploited by individuals with malicious intent to gain privileged access to systems. Organizations must routinely update their software components via the necessary software patches to ensure no software intrusion.

Implement Strong Access Control Measures

7. Restrict Access to System Components and Cardholder Data by Business Need to Know

Due to ineffective access control rules, unauthorized individuals may access critical data or systems. Systems and procedures that restrict access based on a need to know and in accordance with job duties must be in place to ensure that authorized individuals can access data. These requirements apply to user accounts and access for employees, contractors, consultants, internal and external vendors, and other third parties (for example, for providing support or maintenance services). Certain requirements also apply to application and system accounts used by the entity (also called “service accounts”).

8. Identify Users and Authenticate Access to System Components

Two fundamental principles of identifying and authenticating users are to:

1. establish the identity of an individual or process on a computer system, and
2. prove or verify the user associated with the identity is who the user claims to be.

The element used to prove or verify the identity is known as the authentication factor. Authentication factors are:

1. something you know, such as a password or passphrase;
2. something you have, such as a token device or smart card; or
3. something you are, such as a biometric element.

9. Restrict Physical Access to Cardholder Data

Any physical access to systems that store, process, or transmit cardholder data should be suitably limited since it allows individuals to access and/or remove systems or hardcopies containing cardholder data.

Regularly Monitor and Test Networks

10. Log and Monitor All Access to System Components and Cardholder Data

To prevent, identify, or mitigate the effects of a data compromise, it is essential to have logging methods and the ability to monitor user activity. Logs are present on every system component and in the Cardholder Data Environment (CDE), enabling full monitoring, notification, and analysis if something goes wrong. Without system activity logs, it is difficult, if not impossible, to identify the cause of a compromise.

This criterion is applicable to all user activities, including those taken by employees, independent contractors, consultants, suppliers both internal and external, and other third parties (such as those offering support or maintenance services). It exempts the user activity of consumers (cardholders).

11. Test the Security of Systems and Networks Regularly

To ensure that security policies continue to take into account the ever-evolving environment, system components, processes, and customized and custom software should all undergo regular testing.

Maintain an Information Security Policy

12. Support Information Security with Organizational Policies and Programs

The overall information security policy of the organization establishes the tone for the entire organization and specifies what is expected of the employees. Every employee should understand the sensitivity of cardholder data and the need for protection.