Simplifying PCI DSS 4.0

Payment Card Industry Data Security Standard (PCI DSS) is a critical framework for organisations that are focused on securing Cardholder Data (credit and debit card information).

PCI DSS v3.21, the version of the standard that has been in effect since 2018 will be retired on 31st of March 2024. PCI DSS v4.0 MUST be used by entities for PCI DSS attestation from 1st of April 2024 onwards.

What PCI DSS 4.0 means for businesses

With the release of version 4.0, the PCI Security Standards Council (PCI SSC) has introduced several pivotal changes aimed at enhancing security measures and addressing emerging threats. For businesses, it means they face new challenges in achieving compliance with the new standard and at the same time, provide opportunities to enhance their security posture. This article delves into what the new version of the PCI DSS standard entails and outlines both short and long-term strategies for businesses aiming to achieve and maintain compliance.

What has changed in 4.0?

Six PCI DSS Goals and twelve PCI DSS requirement areas remain the same from the previous standard. 64 new requirements have been added, out of which 13 of the requirements come into effect immediately, with the remaining 51 controls treated as best practice until March 31, 2025. Organisations can mark these 52 requirements as ‘Not Applicable’ until March 31, 2025, with these requirements becoming mandatory after this date.

Key updates in PCI DSS 4.0

• Six goals and twelve PCI DSS Requirement areas remain unchanged.
• 64 new requirements in the new standard. 13 applicable immediately and 51 requirements from the 1st of April 2025.
• Compensating Controls that existed in previous standards can also be used.
• Introduction of targeted risk analysis to define the frequency of recurring controls.
• Requirements are more aligned with industry standards.
• Flexibility in meeting security objectives using the Defined & Customised Approach.

Defined Vs Customised Approach Explained

One of the significant changes in PCI DSS 4.0 is the introduction of Defined Approach Requirements. This will be familiar to organisations and is where requirements defined within the standard are to be followed as stated, and the assessor follows the defined testing procedures to verify the requirements have been met.

Alternatively, PCI DSS also provides a Customised Approach Objective allowing organisations to choose to implement customised controls that meet the requirement’s stated Customised Approach Objective. These controls do not strictly follow the defined requirements but achieve the same control objective. Because each customised implementation will be different, there are no defined testing procedures. The assessor is required to derive testing procedures that are appropriate to the specific implementation to validate that the implemented controls meet the stated objectives.

The Customised Approach is often confused with compensating controls. While it is true that both aim to address security gaps, they serve distinct purposes and require different approaches. Compensating controls are alternative measures implemented by organisations to address specific PCI DSS requirements when the standard’s prescribed controls cannot be met. They serve as mitigating factors to compensate for deficiencies in meeting the standard’s explicit requirements and therefore, organisations should implement and document a compensating control for every PCI DSS requirement that the organisation cannot meet due to technical constraints.

Unlike compensating controls, customised controls are not intended to replace or compensate for standard PCI DSS requirements but rather to augment them. They allow organisations to tailor security measures to their specific business processes, technologies, and risk tolerances.
A well-designed customised control can potentially address multiple PCI DSS requirements simultaneously. For example, implementing a robust Identity and Access Management (IAM) system can address requirements related to access control (Requirement 7), authentication (Requirement 8), and monitoring access to cardholder data (Requirement 10).

PCI DSS 4.0 – Summary of New Requirements

Governance

• Roles and Responsibilities for all PCI DSS requirements (12 PCI DSS requirement areas) are required to be documented. This may be documented within policies and procedures or maintained as separate documents.
• A process to respond to critical security control systems failure is required.
• PCI scope should be documented and confirmed every six months for service providers and one year for merchants.
• Security awareness programs must be reviewed every 12 months and training should include phishing and related attacks.
• Incident response plans and procedures should include change and tamper detection processes for payment pages and detection of PAN.

Protecting Cardholder Data

• A requirement to maintain an inventory of trusted keys and certificates has been included.
• Enhanced requirement for use of keyed cryptographic hashes as well as the use of valid certificates to safeguard PAN during transmission over public networks.
• Technical controls are required to prevent copy or relocation of PAN while using remote access technologies.

Vulnerability Management

• There is now a requirement to maintain an inventory of custom software in use to ensure vulnerabilities are identified and patched.
• Anti-malware scans for removable media must be implemented as well as technical controls to prevent phishing attacks.
• Internal vulnerability scans must use authenticated scanning techniques.

Access Management

• User accounts, application and system accounts and related access privileges must be reviewed.
• Enhanced password configuration requirements have been added.
• MFA is required for all access to the CDE.
• Passwords for interactive logins for application and system accounts must be managed.
• Automated audit log reviews are required, such as leveraging a SIEM or other similar technology. No, a SOC is not required to satisfy this requirement.

Monitoring

• IDS/IPS detection and alerting must be enabled for covert malware communications.
• Change detection mechanisms for payment pages must be in place.
• An automated technical solution for public-facing web applications to prevent web-based attacks must be in place.
• Payment page scripts that are loaded and executed in the consumer’s browser must be managed.

Transitioning to the new standard

Here are some of our recommended strategies for transitioning to PCI DSS v4.0:

• Begin by conducting a thorough assessment of current security measures and identify gaps in meeting PCI DSS v4.0 requirements.
• Educate employees about the updated standards and their roles in ensuring compliance, emphasising the importance of data security and privacy.
• Promptly address any identified deficiencies by implementing appropriate security controls, such as multi-factor authentication, encryption protocols, and access controls.
• Embed security into the organisation’s culture and processes, ensuring that it becomes an integral part of day-to-day operations rather than an afterthought.
• Conduct periodic audits and assessments to evaluate compliance levels, identify areas for improvement, and maintain alignment with PCI DSS v4.0 standards.
• Seek assistance from QSAs to validate compliance efforts and ensure alignment with PCI DSS v4.0 requirements.

What are the next steps?

Organisations should begin by familiarising themselves with the new requirements of v4.0 and conducting a comprehensive gap analysis to identify areas that need to be uplifted. Engaging with qualified security assessors (QSAs) can provide valuable guidance and validation throughout the transition process. By taking proactive steps, such as implementing necessary controls, regularly monitoring progress, and continuously refining security measures, organisations can successfully navigate the transition from PCI DSS 3.2.1 to 4.0.

If you need help getting started, please reach out!