web analytics

Understanding the Top Changes in PCI DSS 4.0 – Source: securityboulevard.com

Rate this post

Source: securityboulevard.com – Author: Merton Notrem, Compliance Success Manager, Scytale

We get it – just when you’ve cracked down the gist of PCI DSS version 3.2.1, here comes the new kid on the block with some significant plans to switch things up in the PCI DSS neighborhood. 

Are you ready to navigate the change? Let’s dive in. 

PCI DSS Version 4.0

The Payment Card Industry Data Security Standard (PCI DSS) was initially launched in 2006. Although the core objective remains the same, to ensure cardholder data security, the standard needs to consider the evolving threats within a changing cybersecurity landscape. 

This brings us to the latest version of the PCI DSS – version 4.0. Version 4.0 will come into effect on March 31, 2024, The new version brings significant changes in how businesses must comply with PCI DSS. These changes hone into the intricacies of the security standard and can be challenging to navigate without expertise in cybersecurity. In brief, all changes within the latest version update stem from four core goals: 

  • To ensure that the standard meets the security needs of an evolving payment industry. 
  • To promote continuous security processes
  • To enhance validation methods and procedures
  • To add flexibility and support for alternative approaches to achieve security. 

So, to help your business navigate through PCI DSS version 4.0, here are the top changes you must be aware of. 

What’s New in PCI DSS 4.0: An Overview of the Latest Changes

The PCI DSS is known as the global standard for establishing cardholder data’s baseline security. However, even a mature standard can’t afford to stay stagnant amid emerging threats and technologies. Therefore, the following core changes have been introduced to better protect merchants and their customers from new threats against sensitive payment data. Here are the key takeaways to help you navigate your next PCI DSS audit.

  1. Additional customized approach

One of the most significant changes within the version update includes adding a customized approach to implementing and validating PCI DSS. 

The new, customized validation approach will clearly define the security outcomes linked to each requirement. Organizations will then be able to choose to implement the control as prescribed, or for a customized implementation. With customized implementation, companies can show that the intent of the requirement is met without needing to provide an operational or technical justification.

The new customized approach allows organizations more flexibility in how they choose to meet the security objectives of PCI DSS requirements. Organizations now have the freedom to implement new technology to help them reach the PCI DSS objectives. However, not without adhering to some basic principles and guidelines. In brief, if an organization chooses to adopt a customized implementation approach, an assessor must validate that this approach meets the PCI DSS requirements. The validation process will include reviewing the entity’s approach documentation, controls matrix, and risk analysis.

  1. Stronger authentication measures

As the payments industry is fast transitioning to cloud platforms, merchants must implement more robust authentication standards. 

To improve a merchant’s posture against emerging threats, the latest PCI DSS version is now better aligned with the National Institute of Standards and Technology (NIST) approach to digital identity authentication and life cycle management. Version 4.0 focuses on Identity and Access Management (IAM) and understands that it is critical to mitigating new threats against cardholder data. Some fundamental changes regarding authentication measures that merchants need to consider include: 

  • Review access privileges a minimum of twice per year. 
  • Implement multi-factor authentication (MFA) for all accounts with access to cardholder data. 
  • All passwords for payment applications and systems must be changed at least once a year or in case of any suspicious activity or potential breach. 
  • All passwords must be strong, unique and include at least 15 numeric and alphabetical characters. 
  • All vendor and third-party accounts must only be used when needed and continuously monitored for vulnerabilities and security risks. 
  1. New changes to the 12 requirements

The core 12 PCI DSS requirements continue to provide the foundation for PCI DSS compliance. However, version 4.0 brings much-needed improvements to a few essential requirements. The fundamental changes include, but are not limited to, the following: 

Requirement Significant changes Effective date
Requirement 1:  No significant changes Not applicable
Requirement 2:  No significant changes Not applicable
Requirement 3:  Merchants must encrypt or protect all stored sensitive authentication data.

Merchants using remote access technology must prevent the copy and relocation of PAN data not only in policies but reinforce it with the relevant technology. 

Merchants may no longer use disk-level encryption for protecting any kind of non-removable media.

Organizations may now only use a keyed cryptographic hash method (if using a hash method for protecting card data).
March 31, 2025
Requirement 4:  A new sub-requirement confirms that all merchants must document, track, and inventory all SSL and TLS certificates in use across public domains in order to strengthen their validity.  March 31, 2025
Requirement 5:  Organizations must now implement automatic processes and systems to detect and protect personnel against phishing attacks.  March 31, 2025
Requirement 6: Organizations must have a web application firewall in place for any web applications exposed to the Internet.

Organizations must keep an inventory of all the known scripts used on those pages to mitigate the use of malicious scripts. 
March 31, 2025
Requirement 7:  No significant changes, although merchants are reminded to tighten account reviews and processes around reviews for systems, users, and applications. March 31, 2025
Requirement 8: Relevant strengthening of authentication measures as mentioned before.  March 31, 2025
Requirement: 9 No significant changes Not applicable
Requirement: 10 Organizations are no longer allowed to manually review their logs. The process is deemed too time-consuming and prone to error. Merchants must therefore implement automated review tools. 

All organizations are now required to detect, alert, and address failures of critical security control systems. Previously, this only applied to service providers but has now been extended to everyone.
March 31, 2025
Requirement: 11 Organizations must implement a change and tamper detection mechanism for any payment pages.  March 31, 2025
Requirement: 12 Merchants must conduct an annual documented scoping exercise or after significant changes to the scope environment. Immediately Effective for 4.0 Assessments

How long do merchants have to comply with version 4.0? 

Merchants will have until March 31, 2024, to fully implement and follow PCI DSS version 4.0 before the previous version (3.2.1) is entirely replaced. However, it’s important to note that some requirements have come into effect immediately upon the release of version 4.0. In contrast, some are considered ‘best practice’ until the previous version is replaced on March 31, 2024 – making it compulsory. 

Conquer version PCI DSS 4.0 compliance with Scytale

Fortunately, these changes don’t have to leave you feeling anxious about where you stand regarding your PCI DSS compliance. Rather, automate the entire process to get (and stay) compliant up to 90% faster with Scytale. 

Conquer version 4.0 by updating the relevant new changes, or jumpstart your compliance journey with experts by your side. We do PCI DSS compliance, so you don’t have to. 

The post Understanding the Top Changes in PCI DSS 4.0 appeared first on Scytale.

*** This is a Security Bloggers Network syndicated blog from Blogs | Scytale authored by Merton Notrem, Compliance Success Manager, Scytale. Read the original post at: https://scytale.ai/resources/understanding-the-top-changes-in-pci-dss-4-0/

Original Post URL: https://securityboulevard.com/2023/07/understanding-the-top-changes-in-pci-dss-4-0/

Category & Tags: Security Bloggers Network,Cybersecurity,PCI DSS – Security Bloggers Network,Cybersecurity,PCI DSS

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

More Latest Published Posts