As the threat landscape shifts and risks to organizations evolve, so too must security standards to effectively address current and relevant risks.

To that end, the Payment Card Industry Security Standards Council has released version 4.0 of the Data Security Standards, the first major release since 2013. Changes are significant and may be onerous, even to those entities that are compliant with the PCI DSS version 3.2.1. One of the goals of the new version of the PCI DSS is to “promote security as a continuous process” and even though the effort to comply with updated and new requirements may be high, doing so will improve the information security posture of a compliant organization.

There may be a lot of work to do but given the generous three-year timeline between the publishing of the new standard and the date all new and updated controls become effective, there is time to tackle the effort in manageable chunks.

Bob Wilson, CISSP
Research Advisor, Security and Privacy

Info-Tech Research Group

• Complying with new the PCI obligations will require significant resources; you must create a cost-effective plan to minimize business and IT operational impact.
  
• It is unclear how the complexity of new PCI DSS requirements will impact your IT environment and business procedures.
  
• Not meeting compliance obligations will jeopardize already trusted relationships with customers and business partners.

• PCI DSS compliance goes beyond IT and requires participation from all business divisions.
  
• Compliance may require drastic changes to existing business processes.
  
• The full scope of the cardholder data environment may not be readily apparent.

• Info-Tech’s approach to facilitate a transition from the previous version of the PCI DSS to the newest version will borrow from previous research.
  
• This approach will assume the entity is already compliant with PCI DSS v3.2.1, as a starting point, and will proceed by:
• Initiating the transition effort.
• Defining and documenting the scope.
• Performing a gap analysis.
• Prioritizing and completing tasks and initiatives.
• Confirming gaps have been closed.

1. Install and maintain network security controls

2. Apply secure configurations to all components

3. Protect stored account data

4. Protect cardholder data with strong cryptography

5. Protect all systems and networks from malicious software.

6. Develop and maintain secure systems and software

7. Restrict access by business need to know

8. Identify users and authenticate access to components

9. Restrict physical access to cardholder data

10. Log and monitor all access

11. Test security systems and networks regularly

12. Support information security with organizational policies and programs

• Expanded multi-factor authentication and password requirements.
• New e-commerce and phishing requirements to address ongoing threats.

• Clearly assigned roles and responsibilities.
• Added guidance on how to implement and maintain security.
• Reporting option to highlight areas for improvement.

• Allowance of group, shared, and generic accounts.
• Targeted risk analyses empower organizations to establish frequencies for performing certain activities.

• Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.

Entities may choose
the defined approach:

requirements are implemented as described in the PCI DSS,
OR
a customized approach:
entities can implement controls in a way that meets the requirement objectives.

Version 4.0 of the PCI DSS focuses on promoting data security as a constant process, rather than a periodic event. There are requirements to monitor the effectiveness of controls as part of a
Business as Usual process.

Requirements were updated or added to address current risks and technologies. Some changes in languages better accommodate cloud services.

Evolving requirement - Changes to ensure that the standard is up-to-date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.

Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.

Structure or format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.

New requirements were added

A total of 64 requirements have been added to version 4.0 of the PCI DSS.

New requirements become effective March 31, 2024

The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

New requirements only for service providers

11 of the new requirements are applicable only to entities that provide party services to merchants.