What’s New in PCI DSS v4.0

In March 2022, The Payment Card Industry (PCI) Security Standards Council released the latest version of the PCI Data Security Standard (DSS), version 4.0. Its predecessor, PCI DSS v3.2.1, remains active for two years, meaning that PCI assessments started on or after March 31, 2024 will also require PCI v4.0 report submissions.

At a high level, the 12 core PCI DSS requirements do not fundamentally change with the upcoming v4.0. The original v3.2.1 requirements remain the foundation of v4.0 and the existing methods used to measure compliance remain essentially the same. However, v4.0 updates focus on how the security controls should be implemented.

Key goals of PCI DSS v4.0 include:

One noteworthy change in v4.0 introduces an alternate option for meeting compliance. Customized implementation, only applicable to those completing a Report on Compliance (ROC), considers an objective’s intent and allows businesses to design their own unique security controls to meet data security regulatory requirements.

This change, however, also has the potential to cause confusion if organizations miss the intended rigor of the requirement. Qualified security assessors (QSAs) must carefully scope new assessments, taking the time to thoroughly explain the control intent. While this may be possible for businesses with mature PCI controls and experienced PCI employees, other businesses may have difficulty understanding the nuances of the language and therefore complying with the control intent.

Building on a Zero Trust mindset, the v4.0 standard also lets organizations scale their authentication methods to fit their transaction control objectives and better align to the risk ecosystem. This is due to the PCI Security Standards Council, in partnership with Europay International, Mastercard and Visa, implementing the use of the “3DS Core Security Standard” during transaction authorization.

Although the Zero Trust security model is not directly mentioned in the new standard, its differences from PCI v3.2.1 indicate a subtle shift away from precise technical specifications and toward a broader, more progressive view of achieving adequate control.

Other v4.0 changes include recognizing the value of stronger authentication mechanisms within identity and access management (IAM) solutions for safeguarding cardholder data. This involves aligning more closely to the National Institute for Standards and Technology (NIST) authentication and lifecycle management models. As organizations within the payment industry migrate to cloud-based ecosystems, payment and control solutions must employ even stronger authentication methods. PCI DSS v4.0 addresses these requirements with:

In addition to compliance and authentication, v4.0 also has expanded data encryption to “trusted networks,” broadening requirements for encrypting cardholder data, for example, while a business waits for authorization.

Finally, v4.0 sets the requirement for data discovery services to find all sources and locations of cleartext primary account numbers (PAN) at least once every 12 months. Discovery must also occur upon significant changes to the cardholder data environment or its supporting operational processes. This is to prevent malicious access to the environment. Once malicious code embeds in the network, cardholder data can be accessed at weak points in the data transmission path as authorization takes place.

In closing, PCI DSS v4.0 should be a significant upcoming change for everyone involved in the payment card industry. In the meantime, expect plenty of debate, new council-issued guidelines and requirement clarifications leading up to March 2024 and beyond.

Comments are closed.