The Payment Card Industry Data Security Standard (PCI DSS) exists to secure payment card data and encourage global adoption of consistent data security measures. For anybody involved in payment card account processing – merchants, processors, acquirers, issuers, and other service providers – the standard ensures they store, process and transmit payment card data securely.
The standard followed by the majority of these parties is currently PCI DSS v3.2.1, which was published back in May 2018. Since then, however, the complexity around securing payment card data has increased due to the adoption of new technologies such as cloud and serverless computing. Considering this, there has been a need for the standard to be updated.
This is where the long awaited Payment Card Industry Data Security Standard (PCI DSS) v4.0 comes in. Published by the PCI Security Standards Council (PCI SSC) on the 31st March 2022, it provides an update to v3.2.1. that will help the parties involved in payment card data processing to ensure their practices take these latest trends into account.
But what does this mean in practice and what are the biggest changes?
What’s Changing With PCI DSS v4.0?
These are the 10 most notable new requirements when comparing PCI DSS v4.0 to v3.2.1 (all future-dated and effective from the 31st March 2025).
- Detect and protect staff against phishing attacks
- Bi-annual review of all user accounts and related access privileges
- More stringent password requirements (length increasing from 7 to 12 characters, no hard-coding in the files or scripts)
- Multi-factor authentication required for all access to Card Data Environment (CDE) vs administrative access to CDE previously
- Revamp of multi-factor authentication requirements for secure implementation
- Daily log reviews by use of automated mechanisms vs the option of manual reviews previously
- Authenticated scanning for internal vulnerability scans
- Address covert malware communication channels by use of intrusion detection/prevention techniques
- More thorough, specific and targeted risk assessments
- Regular PCI DSS scope confirmation including card data discovery techniques
Addressing these changes
Bridewell are poised to support our clients in addressing these changes, leveraging our holistic set of consultancy capabilities combined with 24×7 Managed Detection & Response we can design, implement and manage these requirements to reduce the assurance risks, enabling our customers to continue to focus on their business and digital strategy.
From a technical perspective, if you are using any of the Microsoft 365 or Azure technologies, our Cloud Security Posture Assessment (CPSA) can identify how you can maximise your existing licensing to leverage their in-built security capabilities that enable you to achieve compliance to the latest standard requirements.
What Else Do I Need to Know?
Another important change in PCI DSS v4.0 is the introduction of an optional customised method of validation, which allows for more flexibility in choosing applicable controls. This method will be more suitable for organisations with a mature information security program and will require the assessed company to work closely together with the QSA (Qualified Security Assessor) to agree upon, and properly document, chosen controls and testing procedures.
When Does PCI DSS v4.0 Come Into Effect?
There will be a usual transition period of two years, meaning that PCI DSS v3.2.1 will remain active until the 31st March 2024. After this date, only v4.0 will be active. As always with a major version release, there will be a number of new, future-dated requirements. However, these requirements will only come into effect after the 31st March 2025 and, until then, will only be considered best practice. This gives companies ample time to prepare.
PCI DSS v4.0 implementation timeline is best shown in the figure below.
While there are some substantial changes in PCI DSS v4.0, there is also a generous amount of time provided for companies worldwide to prepare for them. However, given the sheer volume and complexity of changes companies are better off reviewing PCI DSS v4.0 and applicable changes sooner rather than later.