The PCI DSS released new version 4.0 at the end of March 2022. Find out what’s the most important in the PCI DSS 4.0 Updates
The PCI DSS released a new version 4.0 at the end of March 2022. Just like PCI-DSS 3.2, it introduces a comprehensive set of guidelines for securing systems involved in the processing, storing, and transmitting of payment card data. However, the new PCI DSS also meets the growing requirements of the evolving security threat landscape.
The main characteristic of the PCI DSS 4.0 is an “outcome-based” approach rather than a “must-implement” one. Merchants and service providers will still have to meet PCI DSS standards. However, they have more freedom to select their approach toward meeting those standards.
The old version of the document will remain active through March 2024. Although, the transition period when PCI 4.0 goes into full effect is March 2025. Let’s figure out what’s new in the PCI DSS 4.0.
The major reasons behind upgrading PCI DSS 3.21 to PCI DSS 4.0 are the necessity to:
Three main change types in the PCI DSS 4.0:
This article focuses on the first type of changes as they add the most substantial value to the new PCI DSS 4.0.
Summary of Changes from PCI DSS v3.2.1 to v4.0 highlights all the key differences between PCI DSS 3.2.1 vs PCI DSS 4.0. In general, PCI DSS 4.0 focuses on several specific areas – security, customized implementation, authentication, encryption, monitoring, and critical control testing frequency methods.
We’ll not describe every single change. However, let’s focus on the most significant updates that affect your compliance program.
Note: The new requirements included in PCI DSS 4.0 are either effective immediately for all PCI DSS v4.0 assessments. Or just best practices until 31 March 2025, after which they become mandatory.
Earlier, when merchants and service providers could not meet some of the controls of PCI DSS 3.2.1, for one reason or another, they were required to implement compensating controls. It was also necessary to justify the compensating control with a risk assessment and a Compensating Control Worksheet.
This option is still available in PCI DSS 4.0. However, there is also an alternative to the compensating control approach. PCI DSS 4.0 introduces a new Customized Approach that allows entities to leverage technologies to satisfy an objective while not necessarily meeting the defined control requirement. In other words, merchants and service providers are given an opportunity to achieve the objective by means most feasible for them. The main aim of such an update is to allow organizations more flexibility as long as they can demonstrate their custom solution meets the objective of the PCI DSS requirement.
Note: Not all controls are eligible for the customized approach. For instance, PCI DSS 3.3.1, which prohibits the storage of sensitive authentication data after authorization, cannot be customized.
At the same time, the Customized Approach requires more vetting and review, including a targeted risk assessment to ensure the entity has fully addressed all associated risks.
If you applied risk assessment as part of the PCI DSS 3.2, you should know that the process has many tough requirements. PCI DSS 4.0 risk assessment requirements are much tougher when it comes to a customized approach. These include (but are not limited to):
By the way, we have written about a step-by-step risk assessment process in our blog post How to Conduct a Risk Assessment.
Despite the new requirements and obligations, the ultimate goal of PCI DSS still remains the same. It aims to ensure that sellers safely and securely store, process, and transmit cardholder data. To that end, PCI 4.0 sets the bar higher and introduces stronger security standards.
The new PCI DSS relies more on applying stronger authentication standards to payment and control processes. With this, NIST Password Guidance moves to the forefront.
Accordingly, PCI DSS 4.0 focuses more on remote access and access into the cardholder data environment (CDE). Now, an additional MFA step is required to gain access to the CDE. First, the user has to authenticate to the remote access using MFA, and then again when connecting from the remote network to the CDE entry point, such as the bastion host.
PCI DSS v4.0 has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization. This new standard opens the door for organizations to build their own unique authentication standards. Furthermore, this new 3DS Standard allows organizations to scale their own authentication standards to fit the company’s transaction objectives.
Along with expanded authentication requirements, the new PCI DSS also provides more strict password requirements. These include
In the previous version of PCI DSS, only systems storing or transmitting data had to be encrypted. Encryption was required for sensitive cardholder data. For instance, organizations were allowed to hash only sensitive parts of a primary account number (PAN). In 4.0, encryption is expanded and includes magnetic stripe data, chip data, card verification codes, and PINs.
With the new PCI DSS ownership and role requirements, merchants and service providers must properly communicate roles, responsibilities, and ownership for every task. Responsibilities must be formally documented, assigned, and understood by the owner. In addition to the mentioned above, PCI DSS 4.0 adds guidance to help people better understand how to implement and maintain the best security practices.
Compliance levels under PCI DSS 4.0 remain unchanged. There are 4 levels for merchants and 2 levels for service providers. The levels are determined by the annual number of transactions a merchant or service provider processes over one year. More on defining your PCI compliance level in the article Identify Your PCI Compliance Level.
The new PCI DSS requirements should help meet the needs of the evolving security threat landscape. However, they will take time and effort to establish. We recommend merchants and service providers start adopting the new processes well in advance. Starting sooner rather than later will be key to your future PCI DSS compliance success.
Need help with PCI DSS compliance? Planet 9 professionals can help you\ become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things, to:
To stay updated on recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!