The PCI Security Standards Council released PCI DSS v4.0 on March 31, 2022. The aim of the update is to establish standards that better address emerging threats and new technologies. The process of developing PCI DSS v4.0 has involved feedback from more than 200 organizations with the aim of ensuring that the PCI DSS standards remain relevant as the payment security landscape becomes ever more complicated. In this blog we’re going to outline the key requirements of PCI DSS 4.0 and what organisations need to do in order to be compliant.
Broadly speaking, PCI DSS v4.0 addresses the evolving security challenges that merchants are faced with in terms of ensuring and maintaining the highest levels of payment security. It aims to encourage organizations to see security as an ongoing and continuous process and to promote flexibility, giving organizations a range of different methods that they can deploy to achieve their security goals.
The preceding version of PCI DSS – v3.2.1 was published back in 2018 and a great deal has changed since then. Primarily, the pandemic has led to an explosion in online shopping and the use of contact centers. A wide range of technologies have been migrated to the cloud, which brings its own challenges, and at the same time as payment technology has developed, attackers and fraudsters have also become more sophisticated. PCI DSS v4.0 has been developed with this new reality in mind.
The good news is that if you are already compliant with PCI DSS v3.2.1 then the move to v4.0 is an enhancement of what you are already doing, rather than a complete game changer. The new elements included in v4.0 are ‘future dated’ which gives organizations the time that they need in order to determine what needs to change and then implement those changes. Full compliance with PCI DSS v4.0 is not required until 2025.
What has changed in PCI DSS v4.0?
Broadly, the changes in PCI DSS 4.0 can be grouped into four themes.
- Security methods need to develop as the nature of threats that merchants face changes
- Password requirements have been updated – passwords for accounts used by applications and systems must be changed at least every 12 months and immediately if there is suspicion that they have been compromised. PCI DSS 4.0 also requires that passwords should be compared against lists of known bad passwords and mandates the use of strong passwords containing a mix of at least 15 alphanumeric characters for accounts used by applications and systems.
- There are more stringent requirements for multi-factor authentication – this should now be applied across all accounts that have access to the cardholder data rather than simply to the accounts of administrators accessing the cardholder data environment
- There are new standards relating to e-commerce and phishing
- Security is viewed as an ongoing, continuous process
- There is more guidance to help people better understand how to implement and maintain security
- The new approach to reporting highlights areas where improvements are needed and gives greater transparency for report reviewers
- Each requirement has assigned roles and responsibilities associated with it
- New requirements have been added to support new payment technologies and give organisations more flexibility to determine the methods by which they achieve their security goals
- Group, shared and public accounts are now allowed
- Targeted risk analyses will help organizations to establish the frequency with which they should perform certain activities
- There will be a new customized approach to enforcing and validating PCI DSS requirements
- Improved verification methods and procedures
- Increased alignment between the information reported in a Compliance Report or Self-Assessment Questionnaire (SAQ) and the information summarised in the Attestation of Compliance (AoC).
One of the biggest benefits of PCI DSS v4.0 is that it offers a customized implementation approach which gives organizations much more flexibility. You will no longer be forced to follow specific methods as laid out in the standard or implement potentially burdensome compensating controls. Instead, you can focus on implementing solutions that work for you to achieve the intended outcome of each specific PCI DSS objective.
We’re now in a transition period that will last until March 31, 2024, which means that you have time to familiarize yourself with the changes in PCI DSS 4.0 as they relate to your organization and to make the necessary changes to reporting templates and forms in time to ensure you meet the updated requirements by the time that PCI DSS v3.2.1 is retired at the end of March 2024.
There are also some new requirements that have been identified as best practice which your organization needs to implement by March 31, 2025.
Talk to us about how we can help you
If you’d like to find out more or are concerned about how this might affect your organization then get in touch – we’d be happy to help.