PCI DSS 4.0 Updates. All you Need to Know

The PCI DSS released new version 4.0 at the end of March 2022. Find out what’s the most important in the PCI DSS 4.0 Updates

The PCI DSS released a new version 4.0 at the end of March 2022. Just like PCI-DSS 3.2, it introduces a comprehensive set of guidelines for securing systems involved in the processing, storing, and transmitting of payment card data. However, the new PCI DSS also meets the growing requirements of the evolving security threat landscape. 

The main characteristic of the PCI DSS 4.0 is an “outcome-based” approach rather than a “must-implement” one. Merchants and service providers will still have to meet PCI DSS standards. However, they have more freedom to select their approach toward meeting those standards. 

The old version of the document will remain active through March 2024. Although, the transition period when PCI 4.0 goes into full effect is March 2025.  Let’s figure out what’s new in the PCI DSS 4.0.

Understanding the PCI DSS 4.0 Updates 

The major reasons behind upgrading PCI DSS 3.21 to PCI DSS 4.0 are the necessity to:

  • ensure the standard continues to meet the security needs of the payment card industry;
  • provide flexibility and support of additional methodologies to achieve security; 
  • promote security as a continuous process;
  • enhance validation methods and procedures.

Three main change types in the PCI DSS 4.0:

  • Evolving requirement – changes to ensure that the standard is up to date with emerging threats and changes in the payment industry (e.g. new or modified requirements, updated testing procedures, the removal of a requirement).
  • Clarification or guidance – updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
  • Structure or format – reorganization of content, including combining, separating, and renumbering of requirements to align content.

This article focuses on the first type of changes as they add the most substantial value to the new PCI DSS 4.0. 

What’s new in the PCI DSS 4.0 Updates

Summary of Changes from PCI DSS v3.2.1 to v4.0 highlights all the key differences between PCI DSS 3.2.1 vs PCI DSS 4.0. In general, PCI DSS 4.0 focuses on several specific areas – security, customized implementation, authentication, encryption, monitoring, and critical control testing frequency methods. 

We’ll not describe every single change. However, let’s focus on the most significant updates that affect your compliance program. 

Note: The new requirements included in PCI DSS 4.0 are either effective immediately for all PCI DSS v4.0 assessments. Or just best practices until 31 March 2025, after which they become mandatory.

New Customized Approach to Increase Flexibility for Organizations 

Earlier, when merchants and service providers could not meet some of the controls of PCI DSS 3.2.1, for one reason or another, they were required to implement compensating controls. It was also necessary to justify the compensating control with a risk assessment and a Compensating Control Worksheet.

This option is still available in PCI DSS 4.0. However, there is also an alternative to the compensating control approach. PCI DSS 4.0 introduces a new Customized Approach that allows entities to leverage technologies to satisfy an objective while not necessarily meeting the defined control requirement. In other words, merchants and service providers are given an opportunity to achieve the objective by means most feasible for them.  The main aim of such an update is to allow organizations more flexibility as long as they can demonstrate their custom solution meets the objective of the PCI DSS requirement.   

Note: Not all controls are eligible for the customized approach. For instance, PCI DSS 3.3.1, which prohibits the storage of sensitive authentication data after authorization, cannot be customized.

At the same time, the Customized Approach requires more vetting and review, including a targeted risk assessment to ensure the entity has fully addressed all associated risks.

Stricter Requirements for Risk Assessment

If you applied risk assessment as part of the PCI DSS 3.2, you should know that the process has many tough requirements. PCI DSS 4.0 risk assessment requirements are much tougher when it comes to a customized approach. These include (but are not limited to):

  • document and confirm the PCI DSS scope of the in-scope environment at least every 12 months and upon a significant change. The new PCI DSS also contains additional documentation requirements for service providers;
  • conduct risk assessment for any customized control at least every 12 months;
  • conduct at least an annual review of hardware and software technologies in use and develop a plan to remediate outdated technologies if necessary.

By the way, we have written about a step-by-step risk assessment process in our blog post How to Conduct a Risk Assessment. 

More Stringent Security Requirements 

Despite the new requirements and obligations,  the ultimate goal of PCI DSS still remains the same. It aims to ensure that sellers safely and securely store, process, and transmit cardholder data. To that end, PCI 4.0 sets the bar higher and introduces stronger security standards. 

Authentication: Deeper Focus on NIST MFA

The new PCI DSS relies more on applying stronger authentication standards to payment and control processes. With this, NIST Password Guidance moves to the forefront.

Accordingly, PCI DSS 4.0 focuses more on remote access and access into the cardholder data environment (CDE). Now, an additional MFA step is required to gain access to the CDE. First, the user has to authenticate to the remote access using MFA, and then again when connecting from the remote network to the CDE entry point, such as the bastion host. 

PCI DSS v4.0 has also partnered with the Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization. This new standard opens the door for organizations to build their own unique authentication standards. Furthermore, this new 3DS Standard allows organizations to scale their own authentication standards to fit the company’s transaction objectives. 

New Password Requirements

Along with expanded authentication requirements, the new PCI DSS also provides more strict password requirements. These include

  • Minimum Password Length – 12 characters (previously 7 characters) 
  • Minimum Complexity – numeric and alphabetic 
  • Lockout Requirements – no more than ten failed attempts (previously 6 attempts) 
  • Minimum Lockout Duration – 30 minutes 
  • Password Expiration – 90 days (there are additional options to satisfy the 90-day expiration requirement in PCI DSS 4.0. It clarifies the use of MFA and performs real-time dynamic analysis on a user account’s security posture).
  • Password History – previous 4 passwords 

Encryption: Broader Applicability on Trusted Networks 

In the previous version of PCI DSS, only systems storing or transmitting data had to be encrypted. Encryption was required for sensitive cardholder data. For instance, organizations were allowed to hash only sensitive parts of a primary account number (PAN). In 4.0, encryption is expanded and includes magnetic stripe data, chip data, card verification codes, and PINs. 

New Ownership and Role Requirements

With the new PCI DSS ownership and role requirements, merchants and service providers must properly communicate roles, responsibilities, and ownership for every task. Responsibilities must be formally documented, assigned, and understood by the owner. In addition to the mentioned above, PCI DSS 4.0 adds guidance to help people better understand how to implement and maintain the best security practices. 

PCI DSS v4.0 Compliance Levels Remain Unchanged

Compliance levels under PCI DSS 4.0 remain unchanged. There are 4 levels for merchants and 2 levels for service providers. The levels are determined by the annual number of transactions a merchant or service provider processes over one year. More on defining your PCI compliance level in the article Identify Your PCI Compliance Level.

The new PCI DSS requirements should help meet the needs of the evolving security threat landscape.  However, they will take time and effort to establish. We recommend merchants and service providers start adopting the new processes well in advance. Starting sooner rather than later will be key to your future PCI DSS compliance success.

Need help with PCI DSS compliance? Planet 9 professionals can help you\ become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things, to:

  • evaluate the ‘security maturity’ of your organization to establish a baseline;
  • based on the security maturity and validation requirements, prepare a plan to raise the organizational maturity;
  • develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client on executing the roadmap;
  • prepare and share the requirements and steps required to complete the required compliance activities

To stay updated on recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646



Leave a Reply