Navigating the Shift: what changes in PCI DSS 4.0
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI Security Standards Council (PCI SSC) released the latest version 4.0 of the PCI Data Security Standard (PCI DSS) on 31st of March 2022. This article aims to provide an overview of the changes introduced in PCI DSS 4.0 and offer recommendations for organisations to remain compliant.
Why is the Transition Important?
Revisions introduced by PCI DSS 4.0 seek to address the changing security requirements of the payments industry, cultivating security as an ongoing process, providing more flexibility for organisations to accomplish security goals. Furthermore, new requirements have been added. In some cases the standard provides additional clarification and guidance, and also reorganises some content.
Compliance Deadline for PCI DSS 4.0
Version 4.0 of the PCI Data Security Standard (PCI DSS) was published on 31st March 2022. However, the previous version, PCI DSS v3.2.1, will remain active for two years. This means that PCI assessments started on or after 31st March 2024, will require compliance with the new version 4.0. Here is a brief roadmap to help you plan for this transition:
- Now till 31st March 2024: Become familiar with the new version, plan for the shift and implement the changes needed for PCI DSS 4.0.
- 31st March 2024: PCI DSS v3.2.1 will be retired and v4.0 becomes effective. PCI assessments started on or after this date will require compliance with the new version. Continue to implement the new requirements.
- 31st March 2025: Future dated new requirements become effective. The official compliance deadline for PCI DSS 4.0. All new requirements must be fully considered as part of a PCI DSS assessment.
However, the move to the new version of PCI DSS is not solely about adhering to a deadline. It’s about enhancing the security of cardholder data. Begin your preparations now to ensure a seamless and successful migration to PCI DSS 4.0.
Key changes in PCI DSS 4.0
So what is changing in PCI DSS 4.0? Here are some of the key changes:
- Addressing Threats: The new version aims to address the threats experienced by the payment industry. This includes launching new phishing standards and eCommerce security practices.
- Enhanced Security Measures: PCI DSS 4.0 provides detailed guidance and reporting to help organizations understand and implement robust security protocols.
- Promoting Innovation: The new version encourages innovation in the payment industry by offering targeted risk analyses.
- Updated Core Requirements: The core security requirements have been updated to allow for a wider range of security technologies, shifting the focus from traditional security measures to advanced security configurations.
- Improved Data Security: Changes have been made to enhance account data security, improve cryptography practices, and protect devices from malware and other threats.
- Audit Logs: Audit logs have been introduced in place of audit traces, with a greater focus on information technology.
- Compulsory Multi-factor Authentication: Multi-factor authentication (MFA) is now mandatory for all access into the cardholder data environment.
These changes aim to enhance the security of payment data and address sophisticated cyber attacks.
Recommendations for Compliance
- Review the New Standard: Given the significant changes, we recommend reviewing the entire standard instead of just focusing on the summary document.
- Gap Assessment: Conduct a gap assessment to identify any areas where your organization currently does not meet the new requirements. This understanding will guide the necessary changes for continued compliance.
- Update Policies and Procedures: Based on the results of your gap assessment, update your organization’s policies and procedures to align with the new requirements and guidance.
- Training: Ensure that your team is trained on the new requirements and changes. Moreover, this is particularly important for software developers, given the new requirements for secure software development.
- Regular Audits: Conduct regular audits to ensure compliance with the new standard. Remember, PCI DSS compliance is not a one-time event. It is a continuous process.
By understanding the changes and subsequently taking proactive steps, organisations can ensure that they remain compliant and address any gaps early in the process.
Useful Resources published by PCI SSC:
Contact us and talk directly to one of our instructors about the role training plays in PCI DSS compliance and the training course or courses to best suit your needs.
Additionally, learn more about how Security Awareness Training supports an organisation-wide culture of security and how the Secure Coding for PCI DSS course helps developers to apply the secure coding and application security standards needed for applications that process card payments and/or cardholder data.