What is PCI DSS 4.0: Is This Still Applicable For 2024? – Source: securityboulevard.com

In a time when cyber threats continuously evolve, a security standard or framework is essential for protecting digital assets. The Payment Card Industry Data Security Standard (PCI DSS), developed by the PCI Security Standards Council, empowers organisations to safeguard cardholder data globally.

PCI DSS offers technical guidance and practical steps to effectively protect cardholder data and overall payment infrastructure. PCI DSS v4.0 has been a significant update to the compliance framework since 2013, introducing 64 new objective-based requirements with a more flexible and customised approach.

Released in March 2022, this PCI DSS version introduces innovative security measures and a more adaptable compliance strategy. However, is it still applicable in the face of emerging threats? This blog will explore this question.

What is PCI DSS v4.0 compliance?

PCI DSS v4.0 compliance refers to the official update to the PCI Data Security Standard, published in March 2022. The PCI Council has received feedback from over 200 organisations in the payment security space, leading to changes in PCI DSS 4.0.

This version introduced a more flexible and customised approach to managing security risks and enhancing security measures. It also ensures that organisations maintain an up-to-date security posture through continuous monitoring and effective risk management strategies across their entire payment ecosystem.

PCI DSS v3.2.1 to v4.0: What changes were made to the PCI DSS requirements?

Several requirements were updated when PCI DSS version 4.0 was released on March 31, 2022. The transition period for PCI DSS version 3.2.1 will last until March 31, 2024. After that date, PCI DSS version 4.0 will be the only active version of the standard.

In terms of PCI DSS version 4 audits, all eligible organisations must complete risk assessments at least annually. Here is a rundown of changes in requirements:

Requirement 1

PCI DSS v4.0 update requirement 1 of PCI DSS version v3.2.1 by broadening the focus from firewalls and routers to network security controls.

Key changes included in v4.0 include:

• Defining roles and responsibilities for network management components.
• Establishing network security controls configuration standards and reviewing them half-yearly.
• Clarifying security countermeasures between wireless networks and the Cardholder Data Environment (CDE).
• Strengthening controls between trusted and untrusted networks, including restrictions on inbound traffic from trustees.

Requirement 2

Here, the title has been revised to focus on the overall secure configurations. Also, the PCI DSS version 4.0 explains guidance for previous requirements 2.1, 2.4, and 2.6, focusing on the following:

• Managing vendor default accounts.
• Ensuring secure configurations beyond vendor default settings.
• Distinguishing primary functions that require different security levels.
• Identifying insecure services, protocols, or daemons.

Requirement 3

The principal requirement title has been updated for account data security, emphasising the importance of protecting sensitive data. The key changes in PCI DSS v4.0 include but are not limited to the following:

• Implementing data retention and disposal policies for sensitive authentication data (SAD) stored before authorisation and encrypting them.
• Masking the PAN, while displayed, allows only personnel with a legitimate business to see more than the BIN and last four digits.
• Preventing the copying or relocation of the PAN during remote access.
• Using cryptographic hashes, disk-level or partition-level encryption to render the PAN unreadable on removable and non-removable media
• Documenting cryptographic architecture to ensure the same cryptographic keys are not used in both production and testing environments. The requirement title has been revised to highlight the importance of strong cryptography and to improve the protection of card data during transmission.

Requirement 5

It divides the former PCI DSS requirement into three focus areas:

• Keeping the antivirus/malware system up-to-date.
• Performing continuous behavioural as well aslysis, and periodic and real-time scans.
• Generating audit logs from the malware solution.

The new PCI DSS version also introduced significant changes to establish roles and responsibilities for malware protection, define the frequency of periodic malware scans in the targeted risk analysis, implement a malware solution for removable media, and introduce measures to detect and protect against phishing attacks. A nasty malware could set up covert malware communication channels with threat actors running a botnet or entire operation targeted at card data networks.

Requirement 6

The changes from PCI DSS v3.2.1 to PCI DSS v4.0 for Requirement 6 include but are not limited to

• Integrating secure software development lifecycle.
• Regular security testing to identify vulnerabilities and missing security controls.
• Security configurations for all system components.
• Prompt patch management and remediation.
• Utilising threat intelligence to enhance security posture.
• Documenting security processes and activities related to system development and maintenance.

Requirement 7

This PCI DSS requirement includes new roles and responsibilities for access management, clarifications on least privilege principles, removal of some documented procedures, and a definition of the access control model.

Requirement 8

This requirement uses the terms “authentication factor” and “authentication credentials” while removing the term “non-consumer users” to clarify that they do not apply to consumer accounts. It also demonstrates authentication processes, defines evaluation frequencies related to multi-factor authentication factors, and implements securely shared authentication credentials on an exception basis.

Also, multi-factor authentication (MFA) is required for all access to the CDE, alongside other measures to protect against password/passphrase misuse.

Requirement 9

This update clarifies Requirement 9 for sensitive areas of CDE. Key changes include defining the requirements’ applicability to the CDE, establishing new roles and responsibilities for v4.0 assessments, and mandating the locking of consoles in sensitive environments when not in use.

Requirement 10

New roles and responsibilities have been introduced and are immediately effective for all Pand assessments, and a few redundant requirements have been removed.

Key changes for the PCI DSS compliance include a title revision to highlight audit logs, clarifying that the requirements do not apply to consumer user activity, and replacing “audit trails” with “audit logs” throughout. It also requires critical security controls failure identification and detection, which apply to all entities.

Requirement 11

The principal requirement title has been updated to explain wireless access point management. The key changes in the new PCI DSS version include but are not limited to the following:

• Defining roles and responsibilities for wireless access point management, effective immediately for v4.0 assessments.
• Separating internal and external vulnerability scans into distinct requirements with clear documentation and retention guidelines, multi-tenant service providers or third-party service providers must support external penetration testing. The responsibilities of service providers will include continuous monitoring of their cloud environment to identify security risks and vulnerabilities.

Requirement 12

The title of this requirement has been updated to highlight organisational policies that support information security. To adopt a focused approach towards assessments, formal risk assessment has now been replaced with targeted risk analysis. A few clarifications on acceptable use policies have been added for end-user technologies. Additionally, annual documentation and cryptographic protocols are necessary now, and third-party service providers must validate the PCI DSS scope half-yearly.

What are the PCI DSS 4.0 requirements?

PCI DSS 4.0 consists of 12 requirements applicable to all businesses handling credit card data or payment processes within the PCI scope. It includes systems that store, process or transmit cardholder data (CHD) and sensitive authentication data (SAD). The new requirements add more security controls to protect payment card data and help merchants, banks, and financial institutions stay compliant. Some are effective immediately, most are due by March 31, 2025.

1. Build and maintain a secure network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Firewalls are essential to creating barriers and are the first line of defence between internal and external networks. The PCI DSS 4.0 requirement mandates organisations to install and configure firewalls to restrict unauthorised access and ensure regular monitoring to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Default passwords are one of the common reasons behind many data breaches, as they are easy to guess and publicly available. Organisations need to change default passwords and settings before using them in their PCI environment.

2. Protect cardholder data

Requirement 3: Protect stored data.

To prevent sensitive information, cardholder data must be protected through strong encryption, hashing, tokenisations, or any other means that suit the circumstances.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Open and public networks pose a high risk when it comes to transiting sensitive information such as cardholder data. Therefore, to meet the PCI DSS 4.0 requirement, it is crucial to include HTTPS with TLS configuration to secure the transmission over an open, public network.

3. Maintain a vulnerability management program

Requirement 5: Use and regularly update antivirus software or programs.

Antivirus software greatly helps detect and prevent malware infection, delivery, etc. Such software ensures the PCI environment is secure and has controls to identify, detect, and block potential threats.

Requirement 6: Develop and maintain secure systems and applications.

When you build security into the foundation, you significantly reduce the attack surface, and this PCI DSS requirement addresses the same phenomenon. Regular software updates, patches, vulnerability assessments, and coding practices will ensure your application and system remain secure throughout

4. Implement strong access control measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

When you grant access on a need-to-know basis, you automatically minimise the risk of unauthorised access. The requirement here mandates that businesses implement role-based access to ensure the security of the cardholder data environment (CDE).

Requirement 8: Assign a unique ID to each person with computer access.

The unique identifiers help add accountability actions and audit trails. In the long run, this is a great security control that helps track activity and identify the source of breaches.

Requirement 9: Restrict physical access to cardholder data.

Appropriate physical security controls are needed to protect cardholder data processing or storage environments. These include surveillance systems, visitor management processes, etc.

5. Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Effective monitoring to identify security events for analysis is key to having the right alerts in place when something goes wrong. It helps to detect and respond to security incidents, improving the overall logging and monitoring controls family and boosting your security strategy.

Requirement 11: Regularly test security systems and processes.

As new zero-days are exploited every now and then, regular testing is important to ensure your system is glitch-free and has all relevant controls, such as incident response procedures, disaster recovery program, vulnerability management, etc., in place to address any issue promptly.

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

An information security policy sets out guidelines for implementing security practices for people, processes, and technologies. To lead to positive evolutions, the business must maintain a policy that addresses topics such as data protection, acceptable usage, incident response procedures, vulnerability management, security awareness training, etc.

Future-dated requirements of PCI DSS 4.0

These are best practices until March 31, 2025. After that organisations must meet the requirement and align their security to be PCI DSS compliant.

Requirement 3

The future dated requirement 3 of 4.0 includes:

• Data retention and disposal policies for SAD stored before authorisation, and
• Encrypting SAD before authorisation.
• Mask PAN, while displayed, only shows personnel with a business need to see more than the BIN and last 4 digits.
• Prevent PAN from being copied or moved during remote access.
• Cryptographic hashes, disk-level or partition-level encryption on removable and non-removable media
• Document cryptographic architecture so the same keys are not used in production and test environments

Requirement 4

This one ensures that PAN transmissions over open, public networks are valid and do not expire or be revoked. It also emphasises maintaining an inventory of trusted keys and certificates.

Requirement 5

The following actions are essential in the future for requirement 5 to maintain a secure environment:

• Implement a focused risk analysis to determine the frequency of periodic evaluations for system components identified as being at minimal risk of malware.
• Perform a targeted risk analysis to determine the frequency of periodic malware scans.
• Conduct anti-malware scans when using removable electronic media.
• Implement mechanisms to detect and protect personnel against phishing attacks.

Requirement 6

This is about software management for security. You need to do the following to be PCI DSS compliant:

• Keep an inventory of custom and bespoke software to enable vulnerability and patch management.
• Deploy an automated technical solution for public-facing web applications to detect and prevent web attacks in real time.
• Manage all payment page scripts loaded and executed in the customer’s browser for security and compliance.

Requirement 7

This is about regular reviews of user accounts and access privileges for security. You need to do the:

• Review all user accounts and their associated access privileges thoroughly. Application and system accounts should be assigned and managed correctly.
• Review all account access by application and system and their access privileges for a secure environment.

Requirement 8

The future Requirement 8 is about strong authentication for access to sensitive data. You need to do the following:

• Establish a minimum complexity requirement for passwords used as an authentication factor. If passwords or passphrases are the sole method of authentication, they must be updated every 90 days. Alternatively, the account’s security can be assessed dynamically for real-time access.
• Multi-factor authentication for all access to the CDE and multi-factor authentication systems should be integrated.
• Interactive logins for application and system accounts protect passwords and passphrases from misuse.

Requirement 9

This PCI DSS requirement is about regular inspections and targeted risk analysis for Point of Interaction (POI) devices.

Requirement 10

This Requirement 10 focuses on audit log management for the integrity and security of systems. You need to implement these measures:

• Automate audit log reviews to enhance efficiency and accuracy.
• Conduct a targeted risk analysis to determine the frequency of log reviews for all other system components.
• Promptly detect, alert, and address failures of critical security control systems.
• Ensure that responses to failures of critical security control systems are initiated without delay.

Requirement 11

Requirement 11 requires organisations to demonstrate comprehensive security measures to effectively manage vulnerabilities across the hardware and software assets, including those not critical or high risk for the organisation. These include the following items:

• Manage all applicable vulnerabilities that are not ranked as high-risk or critical.
• Perform internal vulnerability scans using authenticated scanning methods.
• Provide support for external penetration testing through multi-tenant service providers.
• Implement detection for covert malware communication channels, including alerting, prevention, and remediation via intrusion detection and prevention techniques.
• Deploy a change-and-tamper detection mechanism specifically for payment pages.

Requirement 12

The last requirement in PCI DSS 4.0 emphasises a proactive approach to risk management and personnel training, ensuring robust protection of cardholder data through the following measures:

• Establishing a defined frequency for training incident response personnel and initiating procedures immediately upon PAN detection.
• Incorporating alerts from change and tamper detection mechanisms for payment pages to bolster incident response capabilities.
• Ensuring logical separation of access and validating the effectiveness of security controls through semi-annual penetration testing.
• Documenting and reviewing the impact of organisational changes on PCI DSS scope, with findings communicated promptly to management.
• Reviewing and updating the security awareness program annually, covering relevant threats to the CD) and guidelines for acceptable technology use.
• Assessing hardware and software technologies regularly while documenting targeted risk analyses to support compliance with PCI DSS requirements.

Timeline for PCI DSS 4.0 adoption and enforcement deadlines

Release of PCI DSS 4.0

The PCI DSS v4.0 was released in March 2022 and introduced updated requirements and guidance for securing payment account data and environments.

Organisations using the customised approach must work closely with a Qualified Security Assessor (QSA) to document chosen controls and methods. This approach is more suited for organisations with mature security programs. Customised validation is distinct from compensating controls, which require documented justification when an organisation cannot meet a specific compliance requirement. The PCI Council emphasises that the customised approach will not engage organisations in a way that allows for disengagement from assessments.

End of support for PCI DSS v3.2.1

PCI DSS 4.0 retired v3.2.1 on March 31, 2024, after which it became mandatory for businesses to achieve compliance according to the PCI DSS 4.0 requirements.

Transition period

Organisations are encouraged to familiarise themselves with the new requirements and implement appropriate modifications to their security protocols and controls concerning version 4.0 during the specified timeframe, specifically from March 2022 to March 2024. During this transitional period, organisations may adhere to either the PCI version 3.2.1 or the PCI version 4.0 standards.

Future-dated requirements

PCI DSS 4.0 has some future dated requirements that will take effect after March 31, 2025. You need to implement these by then as they are required for ongoing compliance and to address the evolving security threats.

How to become PCI DSS 4.0 compliant?

Organisations can easily comply with PCI DSS 4.0 by first assessing their current data security posture and then implementing PCI-defined controls based on the PCI 6 compliance goal. The controls include 12 requirements with actionable steps, such as completing a Self-Assessment Questionnaire (SAQ), conducting risk and vulnerability assessments, and implementing other security measures.

Once implemented, security monitoring systems, testing procedures, and documentation are required to maintain compliance and remediate issues as they arise.

PCI DSS 4.0 prioritised approach

The Prioritised Approach outlines PCI DSS requirements into six risk-based security milestones to help organisations protect against evolving risks and threats while working to comply with PCI DSS compliance. Developed from breach data and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors., it focuses on securely storing, processing, and transmitting payment account data.

By adhering to the established approach and milestone guidelines, organizations can effectively protect payment account data and reduce the likelihood of breaches during compliance. Although this method significantly aids in assessing compliance and mitigating risks, it’s crucial to understand that it cannot fully replace the need for PCI DSS compliance, nor does it serve as a universal solution applicable to every organisation.

1. Eliminate sensitive data storage

The first milestone concerns managing the major risk of compromised entities. It emphasises not storing sensitive authentication or other account data if there is no need for it.

2. Protect systems and networks

This milestone focuses on implementing controls at key access points to prevent compromises and establish effective response procedures.

3. Secure payment applications

The application and server vulnerabilities can help threat actors compromise systems and retrieve cardholder data. Therefore, it is crucial to secure applications and servers with appropriate security controls.

4. Monitor and manage access to your systems

This milestone focuses on implementing controls to track the activity performed in the CDE, such as who accessed your network, what actions were taken, when, and how.

5. Safeguard stored cardholder data

This one is particularly directed toward organisations that must store Primary Account Numbers (PANs). It is all about implementing robust protections to secure the PANs’ data.

6. Finalise compliance efforts

This milestone ensures that all remaining PCI DSS requirements are fulfilled and that the necessary policies, procedures, and processes are completed to fully protect the CDE.

UPDATE: PCI DSS 4.0.1 released

PCI Security Standard Council (PCI SSC) released a limited version of PCI DSS v4.0.1 on June 11, 2024. This version corrects the formatting and typographical errors along with some clarification of guidance and requirements, which stakeholder feedback has received since the publication of v4.0.

This new update does not include any additional or deleted requirements. Both versions, v4.0 and 4.0.1, will remain active until December 31, 2024. After that, v4.0 will retire, and v4.0.1 will only remain in effect to encourage the security of payment account data globally.

Summary of PCI Compliance v4.0

This update streamlines the PCI DSS requirement, while the additional guidance and supporting documents will assist businesses in implementing the controls. Adhere to these, and you will be prepared for PCI DSS assessment.

We’d love for you to reach out to Cyphere for a complimentary consultation! It’s a great opportunity to discuss your concerns and collaborate on an action plan for PCI DSS. 

FAQs PCI DSS v4.0

1. What are the changes for PCI compliance in 2024?

In 2024, PCI compliance saw the end of the transition period from v3.2.1 to v4.0, which concluded in March 2024. Also, PCI DSS v4.0.1 has been released, clarifying guidance and correcting typographical errors. Now, both versions, v4.0 and v4.0.1, will remain active until December 31, 2024, after which v4.0 will be retired, and v4.0.1 will continue to be in effect.

2. Do we need to implement PCI DSS 4.0 now?

Since PCI DSS v3.2.1 has been retired, and v4.0 is currently active until December 31, 2024, businesses must implement v4.0 to ensure their PCI DSS compliance.

3. When did PCI 4.0 come out?

The Payment Card Industry Security Standards Council (PCI SSC) officially published PCI DSS 4.0 in March 2022.

4. What is the difference between PCI 4.0 and 3.2.1?

Introduced in 2018, the PCI DSS v3.2.1 version was rigid and unable to address the evolving threat landscape of modern IT, such as cloud and serverless environments. In contrast, v4.0 offers a more customised and flexible approach to risk management through continuous monitoring, defined roles and responsibilities, strong encryption standards, and other customised security controls. It also emphasises security awareness training.

5. Is PCI DSS 4.0 mandatory?

Yes, it is mandatory for organisations handling payment card data to comply by March 31, 2025.

6. Should you focus on PCI 4.0 or 4.0.1 now?

If you’re starting your PCI DSS compliance journey, focus on PCI DSS v4.0 to understand its foundational principles, as v4.0.1 is a limited version with no additional or deleted PCI DSS requirements.

If you are familiar with v4.0, prioritize v4.0.1 for its significant updates and clarifications regarding the PCI DSS scope. Keep in mind that version 4.0 will be retired in December 2024. Therefore, for organizations getting ready for audits, it is crucial to comply with the latest version (v4.0.1).