The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized compliance framework that ensures the security of credit and debit card information. It was brought into action in 2004 by the PCI Security Standards Council (PCI SSC), a non-profit organization established by Visa, MasterCard, American Express, Discover, and JCB to manage and supervise the PCI DSS. 

However, on March 31, 2022, the PCI SSC updated the security standard to address emerging dangers and technologies, enable more effective means of combating new threats to cardholder information, increase payment flexibility, and improve business practices to satisfy security needs.

The new standard is hundreds of pages longer than the previous version and is a significant revision that may seem unfamiliar even to those familiar with PCI DSS v3.2.1. Most requirements have been altered in some way, ranging from requirement number, position, and wording changes to new requirements and testing methods.  

One of the most notable changes is to the reporting documentation, which now contains a new assessment finding status (i.e., In Place with Remediation) and a new validation method dubbed “Customized Approach.” 

In this blog, we will provide a detailed overview of what you need to know about the latest version of PCI DSS, i.e., PCI DSS 4.0.    

What are the Goals of PCI DSS 4.0?

The essential structure of PCI DSS v4.0 remains the same, with 12 PCI DSS requirements. If you want an overview of the PCI DSS compliance as implemented until now, check out this article here. 

However, major changes have been made to the required arrangement and, in many cases, the phrase itself. Some requirements were moved to other sections to better suit the purpose and intent of the document. There are four high-level objectives for the new PCI DSS 4.0 standard:

• Ensure that the standard continues to suit the payments industry’s security needs.
• Promote security as an ongoing effort.
• Improve validation techniques and methods.
• Increase flexibility and support for additional approaches in order to accomplish security.

What is the Customized Approach?

PCI DSS 4.0 maintains the existing prescriptive compliance technique while introducing a new Customized Approach option for achieving a requirement. Customers can use the Customized Approach to utilize novel technologies and innovations to fulfill a control target that may or may not meet the established requirement approach. This is meant to provide organizations more flexibility if they demonstrate that their unique solution fits the PCI DSS requirement’s aim.   

The new Customized Approach validation method provides a more developed model than the prior Compensating Controls validation approach. More vetting and evaluation, including control matrix documentation and targeted risk analysis, are required to guarantee that the assessed entity has properly addressed all associated risks and that the control objectives are intended.

What are the 12 Additional Requirements You Should Know About?

If you want to know more about the PCI DSS requirements implemented until now, look at this article here.

The new PCI DSS 4.0 standard contains 64 revised or added requirements. Here are the 12 changes you should be aware of. 

1. Formalized Annual Scoping Exercise

As part of the PCI DSS 3.2.1 requirements, organizations were required to conduct an annual scoping exercise. The onus was on the organization being evaluated to ensure this procedure was carried out correctly. PCI DSS v4.0 formalizes this need, which an assessor will now validate as one of the standard’s new requirements.  

2. Updated Password Authentication Requirements

They now include:

• Minimum Password Length – 12 characters (previously 7 characters) 
• Password History – Previous 4 Passwords 
• Password Expiration – 90 days* 
• Minimum Complexity – numeric and alphabetic 
• Lockout Requirements – no more than 10 failed attempts (previously 6 attempts) 
• Minimum Lockout Duration – 30 minutes 

*PCI DSS v4.0 includes more alternatives for meeting the 90-day expiration criteria. To meet this control, it clarifies the usage of MFA and executes a real-time dynamic analysis of a user account’s security posture based on a zero-trust architecture.  

3. Multi-factor authentication

The standards for MFA for remote access and access into the cardholder data environment (CDE) have been clarified in PCI DSS 4.0. An additional MFA control will be necessary to enter the CDE from that network if remote access provides access outside the CDE. This is significant since the new standard also clarifies that networks with access to the CDE (where connected systems exist) must likewise implement MFA for remote access. 

4. Risk assessment 

Instead of requiring organizations to use a single risk assessment approach, PCI DSS v4.0 mandates that they perform targeted risk analysis for all needs where flexibility is permitted. Such risk assessments must be done at least once a year for each occurrence, exemplified by controls that must be carried out “periodically.” Before the PCI assessment, the outcomes of this exercise must be recorded and sent to the assessor for examination.   

5. Ownership and responsibilities

Organizations must now effectively specify ownership, roles, and responsibilities for all required tasks. The owner must explicitly define, assign, and understand their role in a project and take responsibility for all activities involved.

6. Encryption

A main account number (PAN) must be completely hashed using keyed cryptography for the hashes to be effective. Organizations will no longer be able to hash only the PAN’s sensitive portions. Additionally, except for PAN stored on removable media, disc encryption will no longer be accepted as the control to protect PAN at rest.  

7. Malware requirements

The anti-virus requirements will be more flexible for organizations based on targeted risk assessments. There is a new control required to be in place that detects and protects personnel against phishing attacks.   

8. Web applications available for public use

For public-facing web applications—PCI DSS v4.0 mandates the installation of an automatic technical solution that continuously recognizes and thwarts web-based assaults. This solution must be placed in front of web applications that are accessible to the general public and set up to either block web-based attacks or produce an alarm that is promptly investigated. 

9. HTTP headers

This is a new requirement for a change and tamper-detection mechanism that alerts of any unauthorized alterations to HTTP headers. The contents of payment pages, as received by the consumer browser, are now in place to assist in mitigating the effects of Magecart attacks. 

10. Payment page scripts

Organizations will be expected to manage all payment page scripts loaded and run in a customer’s browser (and employ appropriate controls to maintain their integrity). This includes scripts that are retrieved from external websites.   

11. Log Requirements 

This means only ‘Automated Mechanisms’ will be permitted for audit log review, making daily manual reviews illegal. Additionally, rather than just service providers, all organizations will now be subject to the requirements surrounding control failures.   

12. Internal Vulnerability Scanning

Internal scans must be authorized unless the device being scanned does not accept credentials. Controls for the safety of authentication credentials are also part of PCI DSS v4.0, and this ensures infrequent recurrences of card fraud.  

PCI DSS 4.0 Transition Timeline

The previous PCI DSS version 3.2.1 will continue to use until March 31, 2024, despite the fact that PCI DSS 4.0 has been formally published. This transitional period is intended to provide organizations enough time to update their reporting templates and forms, get used to the new changes in version 4.0, and plan adjustments to implement to comply with the most current standard requirements. 

When version 3.2.1 of the PCI DSS retires on March 31, 2024, version 4.0 will be the only version still in use. It’s vital to remember that the release date of PCI DSS 4.0 will rely on how the new requirements will affect the implementation of the standard’s security measures. This future date is likely later than the scheduled transition time, possibly occurring two and a half to three years after the release of version 4.0. 

PCI DSS Compliance with Akitra!

Establishing trust is a crucial competitive differentiator when prospecting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.

Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our service helps our customers prepare readiness for PCI DSS compliance standards, along with other frameworks like SOC 1, SOC 2, ISO 27001, ISO 27701, ISO 27017, ISO 27018, HIPAA, GDPR, CMMC, NIST 800-53, NIST 800-171, FedRAMP, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s automated questionnaire product to streamline and expedite security questionnaire response processes delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently. 

The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.

Build customer trust. Choose Akitra TODAY!‍

To book your FREE DEMO, contact us right here.