PCI DSS 4.0 - What you need to know
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 was released by the PCI Security Standards Council (PCI SSC) on March 31st 2022. There are 64 new requirements, 53 of which are applicable to all entities and the remaining 11 new requirements applicable to service providers only. However, it should be noted that of the 64 new requirements, 51 are future dated and are considered a best practice until March 31st 2025 when they become required. All others are required when a PCI DSS v4.0 PCI Compliance assessment is carried out.
As with past major updates to PCI DSS, there is a transition period when either PCI DSS v3.2.1 or PCI DSS v4.0 may be used for PCI compliance assessments; in this case the transition period ends March 31st 2024. PCI compliance assessments after March 31st 2024 must use PCI DSS v4.0.
Although the transition timeline is generous, 2 or 3 years can pass quickly. Changes to your PCI compliance program to adapt to PCI DSS v4.0 requirements should start now in four areas:
Document and assign roles and responsibilities applicable to principal requirements 2 through 11. PCI DSS v4.0 has 10 new requirements concerning the assignment and documentation of roles and responsibilities and these are effective immediately for any PCI DSS v4.0 assessments. Past requirements concerning roles and responsibilities were not necessarily specific to each requirement section with the exception of principal requirements 1 and 12.
Conduct a targeted risk analysis to determine the frequency of certain requirements such as log reviews, device inspections, password/passphrases changes and training to name a few. Past requirements were vague concerning frequency or periods of time. PCI DSS v4.0 requires the merchant to be specific and provide a targeted risk analysis that supports the defined frequency selected.
Access management requirements have always been a part of PCI requirements, but PCI DSS v4.0 introduces updated specifications such as a minimum of 12 characters for passwords instead of 7, and additional training for phishing attacks.
Group, shared or generic accounts are permitted on an exception basis only and must be managed and have a documented justification for the exception.
What changes do you need to be aware of and prepare for?
The complete list of the PCI DSS 4.0 changes and their effective date is available on the PCI DSS 4.0 Document Library in the document titled “PCI DSS Summary of Changes”.
The list below summarizes the applicability and effective dates of the new requirements.
Applicable to All Entities - 53 requirements
Applicable to Service Providers Only - 11 requirements
Effective Immediately for all v4.0 Assessments - 13 requirements
Best Practice until Effective Date of March 31st 2025 - 51 requirements
At first, you may think that this is a long lead-time for the new requirements, but then you may be wary and wonder why there is such a long lead-time for the new requirements to become effective!
While most of the new requirements are incremental in nature, based on prior experience some of the requirements will likely need increased funding and resources. Four examples are:
Requirement 12.3.1 (affecting the following requirements: 220.127.116.11, 18.104.22.168, 22.214.171.124, 8.6.3, 126.96.36.199.1, 10.4.2.1, 188.8.131.52, 184.108.40.206): A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed.
Requirement 6.4.2: Deployment of a Web Application Firewall (WAF) solution to protect public facing web apps to automatically monitor and alert web-based attacks.
Requirement 10.4.1.1: Deployment of automated mechanisms to perform audit log reviews.
Requirement 12.5.2: Document and confirm PCI DSS scope at least every 12 months and upon significant change to the in-scope environment.
There are many new requirements introduced with PCI DSS v4.0. Understanding the implications to your PCI compliance program can be a case of “where do I begin?” 3Factor Compliance Services can provide PCI DSS certified QSA (Qualified Security Assessor) guidance and consulting to ensure your PCI compliance program is ready for PCI DSS v4.0.