PCI DSS 4.0: Changes and How to Be Compliant

Introduction

Payment card transactions are an integral part of today’s ecommerce. Both merchants and consumers increasingly rely on these electronic payment methods, which raises the question of how sensitive cardholder data is protected. The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of guidelines introduced to safeguard cardholder data during each step of payment processing.

In March 2022, the PCI Security Standards Council (PCI SSC) released the latest version PCI DSS 4.0, which goes into effect on March 31, 2024. PCI DSS 4.0 was created with the purpose of addressing the ever-evolving threat of cyberattacks and enhancing data security measures.

In this article, learn about the key elements of PCI DSS 4.0, the most notable changes, and how to become compliant with this newest version.

PCI DSS v4.0: What Is Changing?

In response to current cybersecurity trends and technological advances, PCI DSS 4.0 takes a more expansive view on security. This means that organizations are allowed to design and use their own customized security systems, as long as they satisfy the overarching requirement of data protection.

Here are some of the outstanding changes that PCI DSS 4.0 introduces in an attempt to address emerging security challenges.

1. Implementation Flexibility

While PCI DSS 3.2.1 and previous versions strictly dictated how cardholder data security had to be implemented, the new version provides more flexibility regarding the ways organizations achieve these security objectives. The new standards allow companies to create their own controls and mechanisms, taking into account their risk profile and infrastructure.

Organizations must still define their controls, explain how they operate, how they are maintained, and describe how they meet the prescribed security objectives. These security solutions also have to undergo formal risk assessment procedures.

Note: Merchants who wish to process electronic payments need to become PCI compliant. Learn more about what it takes in our article PCI Compliance Checklist for Merchants.

2. Security

The broad term of security refers to all parts of the system that ensures cardholder data protection in online payment processing, such as:

• Software security. PCI DSS 4.0 highlights the importance of secure software development practices. It emphasizes the need for security coding, regular vulnerability scanning, and penetration testing to ensure the robustness of applications handling payment card data. In addition, it focuses on speed as an essential trait of smarter software development, and controlled access by third parties to decrease the area of vulnerability.
• Secure system configuration. The updated version includes additional requirements for secure system configuration that tests vulnerabilities to prevent evolving cyber threats. It provides more detailed guidance on secure configuration practices and emphasizes the importance of regularly updating and patching systems across the entire organization.
• Network security controls. The words “firewall” and “router” were replaced with the term “network security controls” so that other technologies are included (e.g., virtualization/container systems, cloud access controls, virtual devices, etc.).
• Cloud computing. The use of cloud computing has increased significantly in recent years. Without being prescriptive, PCI DSS 4.0 provides guidance on how cloud services and cloud-based technology should be used so that security objectives are achieved.
• Password strength and authentication. PCI DSS 4.0 mandates the use of multifactor authentication and the elimination of weak passwords to enhance user authentication and mitigate the risks of unauthorized access.
• Encryption and cryptography. The latest version reinforces the importance of encryption and cryptography by expanding requirements related to key management, encryption algorithms, and secure cryptographic protocols.
• Malware.    The updated version introduces a specific term of “malware” to remove ambiguity that existed in the previous version. The term refers not only to all variants of viruses, but also malicious codes, ransomware, spyware, and other types of attacks on data security from outside factors.
• Penetration testing. This model introduces stricter and more detailed penetration testing requirements to identify vulnerabilities and ensure robust security controls. Importantly, companies now have to establish and document their penetration testing methodology. It also proposes reviews of testing results and efforts every 12 months.
• Updated security procedures. The latest version proposes detailed protocols for implementing security controls. It also emphasizes new procedures for analyzing improvement, which assist auditors when checking for compliance.
• New risk protocols. The newest version provides support for team members to detect risks and improve the overall security of cardholders’ data.
• Regular testing and reporting. PCI DSS 4.0 reinforces the importance of regular testing for breaches and vulnerabilities, as well as reporting on the findings to stay updated with all developments.
• Updated permissions. The newest version insists on updated permissions on the group, shared, and public accounts for all team members when it comes to access to cardholders’ data. This includes sharing the information on a need-to-know basis.

3. Risk Assessment and Monitoring

PCI DSS 4.0 emphasizes the importance of continuous risk assessment and prioritization of security measures based on the identified risks. It encourages organizations to implement measures that effectively detect and mitigate threats, and continuously monitor progress in risk detection.

While the previous version also required risk assessment, PCI DSS 4.0 shifts the focus to the targeted assessment and monitoring of systems. The new standard requires that organizations implement controls that assess how their security mechanisms perform within the company’s risk posture. These assessments must be performed regularly and through formalized and documented procedures.

4. Critical Control Testing

By conducting critical control testing, businesses can identify weaknesses in their security controls and take necessary actions to strengthen their security. This is crucial for maintaining compliance with PCI DSS 4.0 and ensuring the protection of cardholder data from potential threats and breaches.

The newest version emphasizes the frequency of critical control testing. Regular and ongoing testing of critical controls is essential for uninterrupted cyber threat protection. The frequency of testing should not be a one-time event, but a continuous process.

The main difference from the previous version is that critical control testing should be employed by all businesses, and not just the ones that were previously compromised.

5. Reviewing and Reporting

PCI DSS 4.0 includes specific requirements for reviewing and reporting as part of maintaining compliance. These requirements aim to ensure that the business regularly assesses their security methods and solutions, monitors for potential vulnerabilities and threats, and keeps proper documentation about it.

Regular reporting on testing, monitoring daily access logs, and analyzing security events are necessary for identifying and responding to security incidents efficiently. Businesses should keep documentation such as policies, procedures, system inventories, diagrams, and vulnerability scan results. This serves as evidence of compliance during assessments and shows that the business is committed to data security. Businesses should fill out reports on compliance, self-assessment questionnaires or attestations on compliance for this purpose.

Note: For more information on PCI DSS 4.0 compliance, refer to the PCI DSS v4.0 Resource Hub.

How to Achieve Compliance with PCI DSS v4.0?

The first step all businesses must take to achieve compliance with the PCI DSS 4.0 is to start working with a reliable payment processor, merchant acquirer, or a payment service provider. This is a basic requirement for processing electronic payments securely while protecting customer information.

These are the steps for becoming compliant with the PCI DSS 4.0 each merchant should take:

1. Understand the requirements. Merchants should familiarize themselves with all PCI DSS 4.0 standards. They can get informed through the PCI Security Standards Council to gain a clear understanding of how to meet the requirements and protect customer data.
2. Compare policies. Merchants should compare new policies and standards with the ones they are following. This ensures each part of their system is updated accordingly when the transition to the newest version happens.
3. Establish a team. Merchants should create a team which will be in charge of updating security policies and procedures to align with the latest version. They will also perform regular implementation and risk mitigation checks.
4. Protect compromised data. If a breach happens, merchants should act fast and remove sensitive customer data from their systems to prevent further damage.
5. Examine data systems. Merchants should continuously assess and examine all parts of their system to detect threats and check for vulnerabilities.
6. Monitor and document activities. Merchants must monitor and document all security activities within their organization to detect suspicious actions from their staff or security system malfunctions.
7. Review safety protocols. Merchants or hired third parties in this area should regularly assess safety protocols to check their efficiency and implement new versions when they are introduced.
8. Update the team. Merchants should regularly update team members about the new developments in cyber data protection including policies, protocols, and system updates.

PCI DSS v4.0 FAQ

These are the most asked questions and answers about PCI DSS 4.0.

1. What Is PCI DSS 4.0?

PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard. It sets requirements for businesses to handle payment card data and ensure secure storing, processing, and transfer or cardholder information.

2. What Are the Key Changes in PCI DSS 4.0 Compared to the Previous Version (PCI DSS 3.2.1)?

The key changes that PCI DSS 4.0 proposes include enhanced flexibility, customization options, emphasis on risk assessment, secure system configuration, multifactor authentication, and encryption.

3. When Was PCI DSS 4.0 Released and When Will It Become Mandatory?

The PCI DSS 4.0 version was released in Q1 of 2022. PCI SSC has determined a transition period of two years – from March 2022 to March 2024, giving businesses time to adjust their systems to become compliant with the latest version. During this period, the previous version (PCI DSS 3.2.1) will still be operational.

After March 31, 2024, all businesses should have completed the transition to PCI DSS 4.0 since the previous version will not be active anymore.

4. How Can I Check If I Am PCI DSS 4.0 Compliant?

There are several methods for merchants to check their PCI DSS 4.0 compliance. They include self-assessment questionnaires (SAQ), external audits by Qualified Security Assessors, vulnerability scanning, and penetration testing. The most suitable method depends on the company size, industry, and transaction volume.

5. Are There New Requirements for Cloud Computing in PCI DSS 4.0?

Yes, there are new requirements for cloud computing in PCI DSS 4.0. They emphasize the need to assess the shared responsibility between the cloud service provider and the organization using the cloud services. It also provides guidance on selecting, implementing, and monitoring cloud-based security controls.

6. What Are the Penalties for Non-compliance with PCI DSS 4.0?

Non-compliance with PCI DSS can result in various consequences including fines, increased transaction fees, loss of card payment privileges, reputational damage, and potential legal liabilities.

7. Are Small Businesses Exempt from PCI DSS Compliance?

PCI DSS compliance is required for all businesses who wish to process electronic payments, regardless of their size. However, small businesses may be eligible for a simplified compliance process. For example, they can use a self-assessment questionnaire instead of a formal audit.

Conclusion

Compliance with PCI DSS 4.0 is essential for all businesses that process electronic payments. This latest version provides updates that contribute to stronger data security and address emerging cyber threats. Merchants should stay informed about the new policies and developments from the PCI Security Standard Council to ensure they are implementing the latest practices in cyber data security.