After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and
project improvements our research helped them achieve. See our top member experiences for this blueprint and
what our clients have to say.
Average $ Saved
Average Days Saved
Bob was able to reassure me that we were on the right path for our PCI DSS journey. He promptly sent along some additional information which we wil... Read More
Bob was able to reassure me that we were on the right path for our PCI DSS journey. He promptly sent along some additional information which we will review. Read Less
Prepare for PCI DSS v4.0
Start early with a collaborative effort for a successful transition to the new version of the PCI DSS.
“…organization will set you free.”
As the threat landscape shifts and risks to organizations evolve, so too must security standards to effectively address current and relevant risks.
To that end, the Payment Card Industry Security Standards Council has released version 4.0 of the Data Security Standards, the first major release since 2013. Changes are significant and may be onerous, even to those entities that are compliant with the PCI DSS version 3.2.1. One of the goals of the new version of the PCI DSS is to “promote security as a continuous process” and even though the effort to comply with updated and new requirements may be high, doing so will improve the information security posture of a compliant organization.
There may be a lot of work to do but given the generous three-year timeline between the publishing of the new standard and the date all new and updated controls become effective, there is time to tackle the effort in manageable chunks.
Bob Wilson, CISSP
Research Advisor, Security and Privacy
Info-Tech Research Group
Complying with new the PCI obligations will require significant resources; you must create a cost-effective plan to minimize business and IT operational impact.
It is unclear how the complexity of new PCI DSS requirements will impact your IT environment and business procedures.
Not meeting compliance obligations will jeopardize already trusted relationships with customers and business partners.
PCI DSS compliance goes beyond IT and requires participation from all business divisions.
Compliance may require drastic changes to existing business processes.
The full scope of the cardholder data environment may not be readily apparent.
Info-Tech’s approach to facilitate a transition from the previous version of the PCI DSS to the newest version will borrow from previous research.
This approach will assume the entity is already compliant with PCI DSS v3.2.1, as a starting point, and will proceed by:
Initiating the transition effort.
Defining and documenting the scope.
Performing a gap analysis.
Prioritizing and completing tasks and initiatives.
Confirming gaps have been closed.
Your PCI compliance program must evolve to meet constantly evolving or new requirements.
It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.
PCI DSS Overview
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard.
Build and Maintain a Secure Network and Systems
1. Install and maintain network security controls
2. Apply secure configurations to all components
Protect Account Data
3. Protect stored account data
4. Protect cardholder data with strong cryptography
Maintain a Vulnerability Management Program
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures
7. Restrict access by business need to know
8. Identify users and authenticate access to components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Log and monitor all access
11. Test security systems and networks regularly
Maintain an Information Security Policy
12. Support information security with organizational policies and programs
The 4 goals of PCI DSS v4.0
Continue to meet the security needs of the payments industry.
Promote security as a continuous process.
Flexibility for entities to achieve security objectives.
Enhance validation methods and procedures.
Expanded multi-factor authentication and password requirements.
New e-commerce and phishing requirements to address ongoing threats.
Clearly assigned roles and responsibilities.
Added guidance on how to implement and maintain security.
Reporting option to highlight areas for improvement.
Allowance of group, shared, and generic accounts.
Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.
Security as a Process
Entities may choose
the defined approach:
requirements are implemented as described in the PCI DSS,
OR a customized approach:
entities can implement controls in a way that meets the requirement objectives.
Version 4.0 of the PCI DSS focuses on promoting data security as a constant process, rather than a periodic event. There are requirements to monitor the effectiveness of controls as part of a Business as Usual process.
Requirements were updated or added to address current risks and technologies. Some changes in languages better accommodate cloud services.
The types of changes
Evolving requirement - Changes to ensure that the standard is up-to-date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.
Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Structure or format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.
New requirements were added
A total of 64 requirements have been added to version 4.0 of the PCI DSS.
New requirements become effective March 31, 2024
The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.
New requirements only for service providers
11 of the new requirements are applicable only to entities that provide party services to merchants.
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
8.0/10 Overall Impact
$2,000 Average $ Saved
1 Average Days Saved
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.