After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and
project improvements our research helped them achieve. See our top member experiences for this blueprint and
what our clients have to say.
Average $ Saved
Average Days Saved
Bob was able to reassure me that we were on the right path for our PCI DSS journey. He promptly sent along some additional information which we will review.
Prepare for PCI DSS v4.0
Start early with a collaborative effort for a successful transition to the new version of the PCI DSS.
“…organization will set you free.”
As the threat landscape shifts and risks to organizations evolve, so too must security standards to effectively address current and relevant risks.
To that end, the Payment Card Industry Security Standards Council has released version 4.0 of the Data Security Standards, the first major release since 2013. Changes are significant and may be onerous, even to those entities that are compliant with the PCI DSS version 3.2.1. One of the goals of the new version of the PCI DSS is to “promote security as a continuous process” and even though the effort to comply with updated and new requirements may be high, doing so will improve the information security posture of a compliant organization.
There may be a lot of work to do but given the generous three-year timeline between the publishing of the new standard and the date all new and updated controls become effective, there is time to tackle the effort in manageable chunks.
Bob Wilson, CISSP
Research Advisor, Security and Privacy
Info-Tech Research Group
Complying with new the PCI obligations will require significant resources; you must create a cost-effective plan to minimize business and IT operational impact.
It is unclear how the complexity of new PCI DSS requirements will impact your IT environment and business procedures.
Not meeting compliance obligations will jeopardize already trusted relationships with customers and business partners.
PCI DSS compliance goes beyond IT and requires participation from all business divisions.
Compliance may require drastic changes to existing business processes.
The full scope of the cardholder data environment may not be readily apparent.
Info-Tech’s approach to facilitate a transition from the previous version of the PCI DSS to the newest version will borrow from previous research.
This approach will assume the entity is already compliant with PCI DSS v3.2.1, as a starting point, and will proceed by:
Initiating the transition effort.
Defining and documenting the scope.
Performing a gap analysis.
Prioritizing and completing tasks and initiatives.
Confirming gaps have been closed.
Your PCI compliance program must evolve to meet constantly evolving or new requirements.
It is best to collaborate, start early, and prioritize tasks and initiatives in a way that takes advantage of the PCI DSS v4.0 transition timeline.
PCI DSS Overview
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard.
Build and Maintain a Secure Network and Systems
1. Install and maintain network security controls
2. Apply secure configurations to all components
Protect Account Data
3. Protect stored account data
4. Protect cardholder data with strong cryptography
Maintain a Vulnerability Management Program
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures
7. Restrict access by business need to know
8. Identify users and authenticate access to components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Log and monitor all access
11. Test security systems and networks regularly
Maintain an Information Security Policy
12. Support information security with organizational policies and programs
The 4 goals of PCI DSS v4.0
Continue to meet the security needs of the payments industry.
Promote security as a continuous process.
Flexibility for entities to achieve security objectives.
Enhance validation methods and procedures.
Expanded multi-factor authentication and password requirements.
New e-commerce and phishing requirements to address ongoing threats.
Clearly assigned roles and responsibilities.
Added guidance on how to implement and maintain security.
Reporting option to highlight areas for improvement.
Allowance of group, shared, and generic accounts.
Targeted risk analyses empower organizations to establish frequencies for performing certain activities.
Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of Compliance.
Security as a Process
Entities may choose
the defined approach:
requirements are implemented as described in the PCI DSS,
OR a customized approach:
entities can implement controls in a way that meets the requirement objectives.
Version 4.0 of the PCI DSS focuses on promoting data security as a constant process, rather than a periodic event. There are requirements to monitor the effectiveness of controls as part of a Business as Usual process.
Requirements were updated or added to address current risks and technologies. Some changes in languages better accommodate cloud services.
The types of changes
Evolving requirement - Changes to ensure that the standard is up-to-date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.
Clarification or guidance - Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Structure or format - Reorganization of content, including combining, separating, and renumbering of requirements to align content.
New requirements were added
A total of 64 requirements have been added to version 4.0 of the PCI DSS.
New requirements become effective March 31, 2024
The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.
New requirements only for service providers
11 of the new requirements are applicable only to entities that provide party services to merchants.
PCI DSS v.4.0 transition timeline
A transition strategy
The Info-Tech difference:
A focus on compliance as a business issue, rather than an IT issue, ensures impacts to business processes can be recognized and everyone understands their role in compliance.
Properly defining the scope for PCI DSS and reducing the scope where possible reduces the effort needed to maintain compliance.
Prioritizing gap remediation will make compliance efforts more efficient and will result in tangible successes delivered in an appropriate timeframe.
PCI DSS v4 compliance road map
Formally kick off the process of transitioning to PCI DSS v 4.0.
Document and define scope
Determine the boundaries and components of your cardholder data environment (CDE).
Perform gap analysis
Complete the Self-Assessment Questionnaire (SAQ) to determine gaps or engage a third party.
Prioritize, plan, and execute tasks and initiatives that will close gaps.
Revisit the SAQ and check that gaps have been closed.
1. Transition kick-off
Officially kick off the effort to transition from v3.2.1 to v4.0
Communicate the need for change to senior leadership and secure their support.
Communicate the need for change to your organization.
Identify a person or group of people responsible for driving the project:
A small committee representing all relevant business components is highly recommended.
Assign roles and responsibilities.
Review the PCI DSS v4 and become familiar with the requirements and objectives.
Engage with your QSA for guidance.
Documentation is one of the most important activities in this effort. Be sure to capture details of your communications, scoping, and plans.
Compliance with the PCI DSS is a business issue and can only be achieved with participation across all business units.
Outcomes of this step
A mandate for change by senior leadership
A group of individuals from different business components that will drive the transition
2. Document and define scope
Determine the boundaries and components of the cardholder data environment
Identify all components and systems that may store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).
Produce a logical map of the cardholder data environment (CDE). Include:
All components that may transmit, store, or process CHD/SAD.
System and network boundaries.
Traffic flows and connections to other systems or third parties.
Reduce scope, if possible.
Segregate your CDE and non CDE systems.
Eliminate the handling of CHD/SAD where possible.
Segmentation can significantly decrease the burden of compliance by reducing the size of the environment to which the PCI DSS is applicable.
Requirement 12.5.2 (effective March 2024) states the entity must document and confirm PCI DSS scope at least once a year or on significant change.
Outcomes of this step
Documentation of your cardholder data environment.
Catalog of systems and devices.
Category 1: CDE
System components that process, store, or transmit CHD/SAD.
System components that have uncontrolled access to systems that process, store, or transmit CHD/SAD.
Category 2: CDE adjacent
System components that provide security services (e.g. remote access/Firewalls/IPS/etc.) to Cat 1 systems.
System components that can initiate controlled connections with Cat 1 systems.
System components that can only receive controlled connections from Cat 1 systems.
System components which, through indirect and controlled access, can administer Cat 1 systems.
Category 3: Everything else
Systems that do NOT store, process, or transmit any CHD/SAD and are isolated from Category 1 and Category 2 systems
3. Perform gap analysis
Do a gap analysis in-house or engage with a third party.
Decide if the gap analysis will be performed in-house or by a third party.
If the decision is to perform the gap analysis in-house, choose the appropriate SAQ for your organization and complete it
It will be helpful to refer to the previous SAQ.
Compile a list of requirement gaps that will need to be closed.
Be careful about engaging your QSA for your gap analysis. Using the same assessor and auditor is not ideal.
The “Build a Security Compliance Program” blueprint can provide guidance and tools that will help you establish an effective compliance program.
This project will guide you through the steps to develop and implement an effective Information Security Strategy.
SEAN D. GOODWIN, GSE
Manager – DenSecure by Wolf & Company, P.C.
Wolf & Company, P.C
“At a Glance: PCI DSS v4.0.” PCI Security Standards Council, LLC, March 2022. Accessed 6 Sep. 2022.
“Payment Card Industry Data Security Standard Requirements and Testing Procedures Version 4.0” PCI Security Standards Council, LLC, March 2022. Accessed 13 Sep. 2022
“Summary of Changes from PCI DSS Version 3.2.1 to 4.0.” PCI Security Standards Council, LLC, March 2022. Accessed 6 Sep. 2022.
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
8.0/10 Overall Impact
$2,000 Average $ Saved
1 Average Days Saved
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.