What it is & what to do with it

PCI-DSS v4.0 is out.

The PCI Security Standards Council announced the new version on 31 March 2022. Following the PCI-DSS v3.2.1, which was released on 1 January 2021, the new version handles the emerging threats and technologies in a more efficient manner and offers innovative ways to tackle recent threats.

 In this blog, we go over the major topics for you to implement PCI DSS v4.0. 

Implementation of PCI-DSS v4.0

To allow enough time for organisations to adopt the changes, both versions will be valid till 31 March 2024. By the time, v3.2.1 will be replaced by v4.0. Until then, organisations will be able to review the changes and ensure a smooth transition to v4.0.

PCI DSS v4.0 has 64 new requirements, of which 13 are to enter into force immediately. The rest of the 51 will be accepted as best practice until 31 March 2025 and will be compulsory for all the organizations seeking PCI compliance thereafter.

Although the 51 requirements will not be part of the PCI DSS assessment until 31 March 2025, we recommend early preparation and implementation.

How was PCI-DSS v4.0 Prepared?

The planning of PCI DSS v4.0 began in 2017. Although it generally takes a year to complete a new version, this one was finalised only in 2022, as more than 200 companies contributed with 6,000 comments. 

This comprehensive feedback resulted in the setting of the following four major goals for v4.0: 

I. For PCI DSS Standard to continue to meet the security standards of the payment industry in view of evolving threats: 

·       Multi-factor authentication requirements tightened,

·       Passwords requirements updated,

·       In the context of current cyber concerns, standards regarding e-commerce and phishing are implemented. 

II. To encourage security as a continuous process: 

·       A condition to assign roles and responsibility for each requirement,

·       Guidance added to implement and make the maintenance of security easier to understand,

·       With new reporting alternative, areas to improve are emphasised and transparency provided for the report reviewers. 

III. To increase flexibility so that organisations can achieve security goals with different means: 

·       Permission requirement for group, shared and public accounts is introduced,

·       Targeted risk analysis introduced to clarify what actions needed to be taken and how frequently,

·       New and Customized Approach is offered, which allows organisations to use new methods to achieve the security goals. 

IV. To diversify verification methods and procedures, the information summarised in AoC, Compliance Report or SAQ are aligned.

New Approaches of PCI-DSS v4.0

v4.0 is composed of a “Defined” and a “Customized” to implement and verify PCI DSS.

 Defined Approach: The traditional method to implement and verify PCI DSS: 

    Follows the current PCI DSS requirements and test procedures.

    Is suitable for organizations that possess security applications which are compliant with the current requirement

    Guides in achieving security goals. 

Customized Approach: New approach, in which organisations achieve the goals by implementing the requirements, without following the “Defined” requirements: 

    Focuses on the target of each PCI DSS requirement.

    Organisation sets the controls and implements them to fulfill their goals.

    Provides more flexibility for the organization which follows various methods to reach a security goal of a requirement.

    Is suitable for organisations that have sound security processes and strong risk management applications.

What to do now?

Although there are a series of changes organisations are required to implement, there is no need to panic, since there is time to get used to PCI DSS v4.0. Considering that these changes are focused at a rather continuous approach, network security and compliance teams will need to rethink their evaluation processes. Nevertheless, now is the time to focus on adopting a wholistic security posture.

Other Sources of PCI-DSS v4.0

Supporting documents that are published in the PCI SSC Document Library, in addition to the updated PCI DSS standard, are the following:

    PCI DSS Summary of Changes v3.2.1 – v4.0

    4.0 Report on Compliance (ROC) Template

    ROC Compliance Certifications (AOC) and ROC and

    Frequently Asked Questions

    Approach Tools

    Quick Reference Guides. 

You can contact PCI Checklist about your, your merchants’ and your third parties PCI DSS v4.0 compliance and our solutions.

References:

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf

https://www.pcisecuritystandards.org/document_library

https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf?agreement=true&time=1651138800032

https://www.freepik.com/free-vector/shield-lock-credit-card-isometric-icon-isolated-vector-illustration-protection-safety-online-payment-symbol_12089310.htm