PCI DSS 4.0: What You Need to Know

The PCI Security Standards Council (PCI SSC) has published version 4.0 of the PCI Data Security Standard (PCI DSS). This version 4.0 replaces version 3.2.1, addresses emerging threats and technologies, and utilizes new methods in order to combat the new threats. [2]

What You Need to Know

The PCI Data Security Standard (PCI DSS) is the global standard that provides a baseline of technical and operational requirements designed to protect payment card account data. While PCI DSS was specially designed to focus on environment payment card account data, it can be used to protect other elements in the payment ecosystem against threats. [1]

Much has changed since version 3.2.1 was released in 2018, including online transactions, the increased use of point-of-sale machines, and cloud platforms are used extensively for the storage of cardholder data. The new PCI DSS v4.0 allows retailers to take a customized implementation approach, meaning that retailers can modify implementation procedures and still meet requirement intent. [3]

What’s New in PCI DSS 4.0

The 12 core PCI DSS requirements did not fundamentally change with PCI DSS 4.0. However, the new v4.0 will focus on PCI security objectives that will guide how security controls should be implemented. [3] Some of the changes within PCI DSS v4.0 consist of the following:

• Stronger authentication requirements
• Cardholder data being considered account data
• Implemented new e-commerce and phishing standards
• Provided new guidance on the scope and applicability of the PCI DSS requirements and their application to third-party service providers

Cardholder Data is Now Considered Account Data

PCI DSS v4.0 now regards what used to be known as “cardholder data” as account data. This consists of cardholder data and/or sensitive authentication data. With this new distinction, account data is considered a generalized term, thus, this will have broader implications for an organization. A recent article by Tripwire provided an example of data that is stripped of card number information, making it no longer acceptable to store this information without the same protections as a full data set. This could result in an increase in the scope of PCI audits. [5]

Stronger Authentication Requirements

With the payment industry gradually moving towards the cloud, it’s important that stronger authentication standards are enforced to safeguard cardholder data. Although this is not an exhaustive list, PCI DSS v4.0 considers these requirements:

• Multi Factor Authentication (MFA) requirements are more stringent. MFA usage should be used with all accounts that have access to cardholder data, not just administrators that have access to the environment.
• Service Account passwords, used by applications or systems, must be changed every 12 months or if there is a suspicion that the account has been compromised.
• Strong passwords must contain both numeric and alphanumeric characters and consist of a minimum length of 12 characters. However, if the system does not support 12 characters, then an 8 character minimum will apply.
• All user accounts and access privileges must be reviewed at least once every six months.
• The standard makes room for zero-trust approaches for authentication and authorization.

With v4.0, PCI DSS compliance will permit organizations to build their own unique authentication methods, as long as they can meet data security regulatory requirements and can scale to fit the organization’s transaction objectives and risk environment. [3][1] [4][5]

New Requirement Additions

PCI DSS v4.0 has also added requirements to the existing list, including:

• Each of the 12 requirements now includes a section on the associated roles and responsibilities
• If an organization performs periodic malware scans, then the frequency of these scans must be defined in the organization’s targeted risk analysis
• Processes or mechanisms that detect and protect personnel from phishing attacks
• Vulnerabilities, not classified as high or critical, are addressed based on the organization’s targeted risk analysis [1][4]

The Transition Timeline to PCI DSS 4.0

The transition to PCI DSS v4.0 will not immediately take effect. During this phase, PCI DSS v3.2.1 will remain active for the two years following the publication of v4.0. Organizations will have two years to familiarize themselves with the changes, update any reporting templates and forms, and plan for and implement the changes to meet the new requirements. The date everyone will need to have completed the transition will be March 31, 2024.

Once the transition period is complete, PCS DSS v3.2.1 will be retired and PCI DSS v4.0 will be the only active version. Some requirements are designated with a future date to provide organizations with implementation time; until the future date is reached, those requirements will be considered best practices.

Threats are constantly changing and evolving, requiring new technology to be used to combat and proactively protect against them. The changes made to PCI DSS compliance are a step in the right direction to address the quickly changing threat landscape against payment card data by requiring better PCI security practices to be implemented.

Reference:

1. Payment Card Industry Data Security Standard – Requirements and Testing Procedures. Version 4.0 March 2022
2. PCI SSC webpage – https://www.pcisecuritystandards.org/ 
3. What you need to know about PCI DSS 4.0’s new requirements. Anastasios Arampatzis. https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-
4. What’s new in PCI DSS v4.0? PCI DSS Guide. https://www.pcidssguide.com/whats-new-in-pci-dss-v4-0/
5. PCI DSS 4.0 is Here: What you need to Consider. https://www.tripwire.com/state-of-security/regulatory-compliance/pci-dss-4-0-what-you-need-to-consider/