PCI DSS v 4.0 - Overview & Changes

Table of Contents

• PCI DSS v 4.0 - Overview & Changes

  • Introduction

  • PCI DSS v4.0 vs 3.2.1 – Implications & Transition …

  • PCI DSS v4.0 – Documents Published

  • PCI Data Security Standards – 6 Controls & 12 Requ …

  • PCI DSS v4.0 vs v3.2.1 – Changes

  • PCI DSS v4.0 – Compliance Levels (remains unchange …

  • Implications of Non-Compliance with PCI DSS

  • Recommendations

  • Key Takeaways

  • References

Introduction

Credit and debit card payments continue to be the standard for payments around the world. The growing popularity of card payments offers a tempting and lucrative opportunity for hackers. As the use of card payments industry have increased significantly in last decade or so, the credit card fraud and theft have increased too.  

Payment Card Industry Data Security Standard (PCI DSS) is a global security standard with requirements for any organization that processes, stores, or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect and prevent customers’ payment data from being compromised/breached and ensures the security of credit card transactions in the payments industry.

PCI DSS provides a baseline of technical and operational requirements to ensure protection of Card Holder Data (CHD) i.e., sensitive credit card information. The latest standard- PCI DSS v4.0-just published on 31 March 2022, is now available.

Entire ecosystem of card payments – from merchants to banks to customers – gets impacted when card breaches occur, as hackers steal card holder information, typically for financial gains. Any such breach can mean a potential loss of revenue, customers, brand reputation, and trust. PCI DSS was established to ensure that all companies securely process their payment card transactions and failing to comply with PCI DSS will impact the organization’s customers and business.

PCI DSS v4.0 is an outcome based on collective input from global community, based on:

• 3 RFCs, released in 2019, 2020 and 2021, with more than 6 k+ comments / feedback received over 3 years period from 200+ unique companies.

Source - PCI DSS At a Glance

Source - PCI DSS At a Glance

PCI DSS v4.0 vs 3.2.1 – Implications & Transition Period

PCI DSS Transition Timelines – Source PCI DSS website

PCI DSS Implementation Timelines – Source PCI DSS website

PCI DSS v4.0 – Documents Published

The following documents can be found in the PCI SSC Document Library:

• PCI DSS v4.0

• Summary of Changes from PCI DSS v3.2.1 to v4.0

• PCI DSS v4.0 Report on Compliance (ROC) Template

• PCI DSS v4.0 ROC Attestations of Compliance (AOC) - both for merchants and service providers

• PCI DSS v4.0 ROC Frequently Asked Questions.

PCI Data Security Standards – 6 Controls & 12 Requirements

PCI DSS v4.0 vs v3.2.1 – Changes

“Summary of Changes from PCI DSS v3.2.1 to v4.0.pdf” document highlights all the key changes between PCI DSS v 3.2.1 vs PCI DSS v 4.0.

There are around a total of 64 new requirements in PCI DSS v 4.0 whereby, of these, 13 are immediately effective for all new v 4.0 based assessments and 51 are best practices until 31st March 2025 after which they become effective.

Out of these 64 new requirements; 53 are applicable for all entities that needs to comply with PCI DSS and 11 are applicable for services providers. 

Change Types:

There are 3 change types for PCI DSS standards revision – they are outlined per PCI SSC definitions below:

Below table summarizes these change types per each of the 12 PCI DSS requirements (the requirements names remains unchanged in PCI DSS v4.0):

Key Changes – Examples

Continue to meet the security needs of the payments industry.

• Expanded multi-factor authentication requirements.

• Updated password requirements.

• New e-commerce and phishing requirements to address ongoing threats.

 Promote security as a continuous process.

• Clearly assigned roles and responsibilities for each requirement.

• Added guidance to help people better understand how to implement and maintain security.

• New reporting option to highlight areas for improvement and provide more transparency for report reviewers

Increase flexibility for organizations using different methods to achieve security objectives.

• Allowance of group, shared, and generic accounts.

• Targeted risk analyses empower organizations to establish frequencies for performing certain activities.

• Customized approach, a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives.

Enhance validation methods and procedures.

• Increased alignment between information reported in a Report on Compliance or Self-Assessment Questionnaire and information summarized in an Attestation of compliance.

PCI DSS v4.0 – Compliance Levels (remains unchanged)

Compliance levels remains unchanged - there are 4-levels for merchants and 2-levels for service providers, determined by the annual number of transactions a merchant or service provider processes over one year.

Implications of Non-Compliance with PCI DSS

Depending on the PCI DSS level the organization falls under, failure to comply can lead to some strict consequences. For example, Visa has the right to change your level to a stricter level, regardless of the number of credit card transactions processed each year. For example, if your organization is currently a level 4, you may be bumped to a level 1 for failure to meet the level 4 compliance requirements.

Recommendations

If your organization is embarking on this journey for the 1st time, you should be a bit thorough in your assessment process vs organizations that already compliant with PCI DSS v3.2.1 and have been running PCI program. Whichever option you choose; the best approach is the one that combines both manual means (i.e., documentation reviews + interviews + payment process lifecycle walkthroughs) and technical discovery (i.e., logically collect data utilizing different technical tools/techniques to identify CHD) to get a complete validated state of your CHD environment and connected infrastructure.  

Engage an experienced and qualified internal assessor or an independent consultant/third-party to perform a PCI DSS v4.0 readiness assessment or gap analysis. It’s important to identify assets, vulnerabilities, and risks to card holder data (CHD) so to apply identification, protection, prevention, detection, and response controls. Ensure enough planning or preparation is done, and the PCI DSS initiative is socialized with relevant stakeholders to get appropriate time, budget, and resource commitments.

Key Takeaways

It all starts with an awareness on the changes to PCI DSS v4.0 standard, the new requirements and how it impacts your existing PCI DSS compliance status in the foreseeable future and what’s the potential impact to your organization in terms of costs, time and effort, and resource requirements.

Based on your budget and resources, the aim is to constantly be maturing on Securing your CHD rather than focusing on getting the compliance point in time – remember PCI DSS compliance is required throughout the year.

PCI SSC, throughout the year, will provide additional information to help the community understand the changes made to the standard. Subscribe to the PCI Perspectives blog for additional resources including podcasts, videos, and blog posts designed to help organizations navigate the transition to PCI DSS v4.0.

NEXT STEPS:

Understanding your current PCI DSS compliance status and program maturity starts with: PCI DSS Readiness Assessment & Gap analysis.

See Additional Resources by PCI SSC:

• Press Release: Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0

• Video: A Conversation with the Council: First Look at PCI DSS v4.0

• At a Glance: What is New with PCI DSS v4.0

• Podcast: Coffee with the Council: PCI DSS v4.0: A Preview of the Standard and Transition Training

• Blog: Countdown to PCI DSS v4.0

References

• https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

• https://www.pcisecuritystandards.org/about_us/press_releases/pr_03312022

• https://www.pcisecuritystandards.org/document_library?category=pcidss&hsCtaTracking=8aa4514c-37d0-40bc-b864-ed4c4aebb5de%7C8d5a5e5f-7860-4a8c-97cc-d91f17654660

• https://blog.pcisecuritystandards.org/pci-dss-v4.0-a-preview-of-the-standard-and-transition-training

• https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0

• https://www.youtube.com/watch?v=o10vhgde1xU&list=PLckJKDl4V-rd-Spm9BlK7H84f_YryFe0m&index=2&ab_channel=PCISecurityStandardsCouncil  (published in Portuguese , Spanish, Japanese , and Chinese subtitles)

• https://blog.pcisecuritystandards.org/updated-pci-dss-v4.0-timeline

• https://blog.pcisecuritystandards.org/pci-dss-v4-0-anticipated-timelines-and-latest-updates

• Payment Security: PCI DSS v4.0 Expectations | Security Metrics Podcast 24

If you have concerns or needs around your PCI DSS standards compliance effort, feel free to reach out to me.

Please register your interest by dropping your name and email if you want to receive a deep dive training/workshop on this topic (Coming soon)

For securing Card holder data (CHD) using PCI DSS v4.0 standard - it’s a great day to start SecuringThings!