March 31, 2022, marked the release of the new PCI DSS compliance (Data Security Standard) version 4.0, replacing the previous version 3.2.1 released in 2018. The standard still has 12 requirements, but all have undergone significant changes and restructuring. Below you can find a general overview of the changes, and you can find more details in the official summary document or the full PCI DSS 4.0 standard available on the PCI Security Standards Council (SSC) website.
Overall Changes and Aims
Below are the overall PCI DSS v4.0 aims and the changes implemented to achieving those aims.
Address evolving threats with evolving security methods
- The requirements for multi-factor authentication (MFA) were tightened
- Password requirements were updated
- E-commerce and phishing standards were implemented
Promote security as a continuous process
- Each requirement has assigned roles and responsibilities
- Guidance was added to help with security implementation and maintenance
- A new reporting option increases transparency for report reviewers and highlights areas for improvement
Improve payment flexibility and innovation
- Changes were made to the permissions for group, shared, and public accounts
- Targeted risk analyses allow organizations to establish the frequency of certain activities
- New enforcement and validation of PCI DSS requirements were instilled
Improve business procedures to meet security needs
- Detailed verification and reporting options to improve verification procedures were developed
- The congruence between compliance reports/self-assessments and the Attestation of Compliance was improved
Flexible PCI DSS compliance
In addition to the above changes, PCI DSS v4.0 allows not only a prescriptive compliance approach but also a customized implementation approach. This change will enable businesses more flexibility in addressing their needs with tailored solutions.
Changes by PCI DSS Compliance Requirement
Each requirement of the PCI DSS v4.0 underwent several changes, including general refocusing, clarification, removal, separation, and merging of requirements. In addition, the below points list other specific changes of note for each requirement.
PCI DSS Compliance Requirement 1
- Principle requirement title was updated to reflect the focus on “network security controls”
- “Firewalls” and “routers” were replaced with “network security controls” to support a broader range of technologies
PCI DSS Compliance Requirement 2
- Principal requirement title was updated to reflect the focus on secure configurations rather than just vendor-supplied defaults
- New requirements for roles and responsibilities
PCI DSS Compliance Requirement 3
- Principal requirement title was updated to reflect the focus on account data
- Several new requirements concerning:
- Roles and responsibilities
- Encrypting SAD
- Technical controls to prevent the copy or relocation of PAN
- Keyed cryptographic hashes
- Disk-level or partition-level encryption
PCI DSS Compliance Requirement 4
- Principal requirement title was updated to reflect the focus on strong cryptography
- New requirements concerning:
- Roles and responsibilities
- Confirming certificates used for PAN transmissions
- Maintaining an inventory of trusted keys and certificates
PCI DSS Compliance Requirement 5
- Principal requirement titles were updated to reflect the focus on protecting all networks and systems from malicious software
- Replaced “anti-virus” with “anti-malware” to support a broader range of technologies for meeting security objectives
- New requirements concerning:
- Roles and responsibilities
- Frequency of evaluations of system components
- Frequency of periodic malware scans
- Malware solutions for removable electronic media
- Detection and protection of personnel against phishing
PCI DSS Compliance Requirement 6
- Principal requirement title was updated to include “software” rather than “applications”
- Clarification that Requirement 6 (except 6.2) applies to all system components
- New requirements concerning:
- Roles and responsibilities
- Maintenance of inventory of bespoke and custom software
- Deployment of an automated technical solution for public-facing web applications
- Management of all payment page scripts loaded and executed in the consumer’s browser
PCI DSS Compliance Requirement 7
- Principal requirement title updated to include system components and cardholder data
- New requirements concerning:
- Roles and responsibilities
- Review for assignment and management of user accounts and related access privileges
- Review of all access by application and system accounts and related access privileges
PCI DSS Compliance Requirement 8
- Standardization of the terms “authentication factor” and “authentication credentials”
- Removal of “non-consumer users” and clarification that requirements do not apply to consumer accounts
- New requirements concerning:
- Roles and responsibilities
- Increasing password minimum length
- Password renewal frequency
- MFA
- System or application accounts management that can be used for interactive login
- Hard-coding passwords/passphrases into files or scripts
- Protecting passwords/passphrases
PCI DSS Compliance Requirement 9
- Clarification of the three areas (sensitive areas, CDE, and facilities)
- Clarification of which requirement applies to which area
- New requirement to define the frequency of POI device inspections
PCI DSS Compliance Requirement 10
- Principal requirement titles updated to “reflect a focus on audit logs, system components, and cardholder data”
- Replacement of “Audit trails” with “Audit logs”
- New requirements concerning:
- Roles and responsibilities
- The use of automated mechanisms to “perform audit log reviews”
- Targeted risk analysis to define the frequency of log reviews for all other system components
- Detecting, alerting, and addressing failures of critical security control systems
- Responding promptly to failures of critical security controls
PCI DSS Compliance Requirement 11
- Minor update to principal requirement title
- New requirements concerning:
- Roles and responsibilities
- Management of vulnerabilities found during internal vulnerability scans
- Performing internal vulnerability scans via authenticated scanning
- Multi-tenant service providers supporting their customers for external penetration testing
- Service providers using intrusion-detection or intrusion-prevention techniques
- Change-and-tamper detection mechanisms for “alerting unauthorized modifications to the HTTP headers and contents of payment pages”
PCI DSS Compliance Requirement 12
- Principal requirement title was updated to reflect the focus on organizational policies and programs that support information security
- New requirements concerning:
- Performing targeted risk analyses for any PCI DSS requirement that proved flexibility for how frequently it is performed
- Performing targeted risk analysis when using a Customized Approach
- Documenting and reviewing cryptographic cipher suites and protocols
- Reviewing hardware and software
- Documenting and confirming PCI DSS scope
- Reviewing the impact on PCI DSS scope and applicability
- Reviewing and updating the security awareness program
- Security awareness training contents
- Service providers supporting customers’ information requests
- Risks analyses
Next steps
The PCI DSS v3.2.1 will still be operational until March 2025, providing a two-year window for making the transition. However, implementing all the changes can be a long process, so it’s best to start treating them as best practices as soon as possible to meet the transition deadline. The PCI SSC website can help you find all the relevant documents, information, and training for updating your certification before 2025.
Contact us to complete a gap assessment as a way to get ready for PCI DSS 4.0.