What Changes Are Being Made In PCI DSS 4.0?

Quick Hits: 

• The PCI SSC has released the latest version of PCI DSS in March 2022. 
• PCI DSS version 4.0 aims to address developing threats and technologies, facilitate more effective ways to combat new threats to cardholder information, boost payment flexibility, and improve business procedures to meet security needs. 
• Merchants have until March 31, 2024, to fully implement and follow the latest PCI DSS version within their organizations, as version 4.0 will replace the retired version 3.2.1. 
• Version 4.0 will likely have a future effective date for organizations to implement this standard based on the new requirements’ impact on applying the security controls in the standard.   

What Is New in PCI DSS 4.0? 

On March 31, 2022, the PCI Security Standards Council (PCI SSC) released version 4.0 of the PCI Data Security Standard (PCI DSS). The PCI DSS provides a baseline of technical and operational standards for merchants worldwide to help protect sensitive cardholder data. This latest version will replace PCI DSS version 3.2.1, published in 2018, to address emerging threats and provide innovative ways to fight against new threats. 

Version 4.0 includes feedback from over 200 businesses, which have provided more than 6,000 pieces of feedback over the past 3 years towards this newest PCI DSS standard. This invaluable feedback will help ensure that the global standard remains useful and relevant in today’s complex and rapidly changing payment security landscape. Since the pandemic, several changes have occurred in the payments industry, including a surge in online purchases, point-of-sale (POS) devices, and cardholder data being stored on cloud platforms.  

While the 12 PCI DSS requirements will continue to be the core foundation for securing cardholder data, these requirements have been restructured to focus on security objectives that offer guidance regarding how security controls should be used. These changes for PCI DSS version 4.0 include: 

• Adding flexibility and additional methods to maintain payment security. 
• Encouraging security as a continuous process. 
• Improving payment validation methods and procedures. 
• Ensuring that the latest standard continues to meet the payment industry’s security needs. 

In addition to the current prescriptive compliance approach, PCI DSS 4.0 welcomes an alternative to achieve compliance – customized implementation. Customized implementation focuses on the objective’s purpose and enables organizations to establish security controls to meet their needs. Indeed, this change will help companies adjust implementation procedures and achieve compliance requirements.  

Stronger Authentication Requirements 

As new threats continue to surface, Identity and Access Management (IAM) can help protect cardholder data. The latest PCI DSS version understands this and is aligned with the National Institute of Standards and Technology (NIST) guidance for authentication and life cycle management regarding digital identities. This is necessary as the payments industry is transitioning to operating on cloud platforms, which requires more robust authentication standards for payments and access logins. Specifically, PCI DSS 4.0 considers the following:  

• Access privileges need to be reviewed a minimum of twice a year. 
• Multifactor authentication (MFA) should be used for all accounts with access to sensitive cardholder data, rather than just the security administrators. 
• Passwords for accounts used by payment applications and systems should be changed once a year and during suspicious activity or a breach. 
• Use strong, unique passwords for accounts, such as having at least 15 characters that include both numeric and alphabetic characters. PCI DSS indicates that prospective passwords be compared against a list of known bad passwords. 
• Vendor or third-party accounts should only be used as needed and monitored for security risks. 

Furthermore, the PCI DSS version 4.0 standard is based on a zero-trust model. This model allows businesses to customize a unique authentication solution to achieve data security regulatory requirements that scale to fit their payment objectives and security risk environments. To help improve payment authorization rates, PCI SSC has partnered with the major card brands Europay, Mastercard, and Visa to allow merchants to use 3DS Core Security Standard during the transaction authorization process.

More Applications for Data Encryption 

This latest standard has expanded the applications for encrypting cardholder data to help protect it from theft. Organizations must discover the sources and locations of cleartext primary account numbers (PANs) at least once a year and whenever there are significant changes to cardholder data environments or processes. This change is essential because malicious code is a serious issue for financial organizations that handle payment data. If harmful code reaches a private network, hackers can retrieve valuable information through cardholder data transmissions.  

By offering a customized implementation approach, businesses have the flexibility to find solutions that work best for their needs and challenges. This means merchants aren’t required to follow prescribed methods or use a security control that doesn’t work well for their payment or PCI DSS objectives. Businesses can use IAM, MFA, and encryption to protect sensitive cardholder information and digital payments, which is the main principle of zero-trust security.  

PCI DSS 4.0 Release Date 

PCI DSS 4.0 had a formal release in March 2022, including the final versions of the latest standard, validation documents, and the first phase of the standard’s translations. Training for QSAs and ISAs to support and implement 4.0 is expected to be available in June 2022.  

PCI DSS 4.0 Transition Timeline 

Even though PCI DSS 4.0 has been officially published, the older PCI DSS version 3.2.1 will be operational for the next 2 years (March 2022 to March 2024). This transition period aims to help organizations have sufficient time to get used to the new changes in version 4.0, update their reporting templates and forms, and make plans to implement changes to meet the latest standard requirements. Supporting documents include AOC, ROC, and SAQ.

On March 31, 2024, PCI DSS v.3.2.1 will be retired, and version 4.0 will be the only active standard version. It’s important to note that PCI DSS 4.0 will have a future effective date that will depend on the new requirements’ impact on implementing the standard’s security controls. This future date is expected to extend past the planned transition period with a potential future date 2 ½ to 3 years after 4.0 has been released.  

Protect What Matters Most 

Achieving PCI compliance is a complex and continuous process for organizations that accept, process, and handle sensitive cardholder data. It’s recommended for merchants to use a layered security solution to protect what matters most – their customers’ payment and personal information. Payment tokenization is one of many solutions that can help by replacing sensitive payment data with randomly generated sets of unique numbers known as tokens. These tokens can be used to tokenize credit card numbers, bank account numbers, names, addresses, etc. Tokens lack sensitive details that could be compromised due to a breach or card fraud. If you’re interested in learning more about tokenization, contact TokenEx to learn how we can help protect your sensitive payment data, maintain critical business utility, and achieve PCI compliance.